openssl/openssl

OpenSSL can't see OPENSSL_MODULES env var when using Linux capabilities

Open

#21 770 ouverte le 17 août 2023

Voir sur GitHub
 (27 commentaires) (0 réactions) (0 assignés)C (11 262 forks)batch import
backlog fixhelp wantedtriaged: feature

Métriques du dépôt

Stars
 (30 157 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

Background

OpenSSL, and specifically the libssl part of it, is primarily used for network encryption. In Cloud, it is generally good practice that an application which uses of OpenSSL is NOT running as root. This prevents the application from binding to a privileged network:port (e.g. 443, typically any port < 1024), UNLESS the net-cap-bind-service capability is added to the application (e.g. sudo setcap cap_net_bind_service=+ep /path/to/application) As a result, running an application in Cloud as non-root, but with addition of net-cap-bind-service capabilities, is in widespread use in Cloud.

Issue

Linux capabilities provide a subset of the available root privileges to a process. Given the higher privileges, application programs with added capabilities are therefore started in a secure-execution mode in Linux. For security reasons, if the dynamic linker determines that a binary should be run in secure-execution mode, the effects of some environment variables are voided or modified, and furthermore those environment variables are stripped from the environment, so that the program does not even see the definitions.

This means OpenSSL will not be able to see/read the OPENSSL_MODULES environment variable, and therefore will never load a provider. This renders the providers useless in situations where capabilities are added to applications, specifically the case for net-cap-bind-service capability.

Guide contributeur