OpenSSL can't see OPENSSL_MODULES env var when using Linux capabilities
#21,770 创建于 2023年8月17日
仓库指标
- Star
- (30,157 star)
- PR 合并指标
- (30 天内没有已合并 PR)
描述
Background
OpenSSL, and specifically the libssl part of it, is primarily used for network encryption.
In Cloud, it is generally good practice that an application which uses of OpenSSL is NOT running as root. This prevents the application from binding to a privileged network:port (e.g. 443, typically any port < 1024), UNLESS the net-cap-bind-service capability is added to the application (e.g. sudo setcap cap_net_bind_service=+ep /path/to/application)
As a result, running an application in Cloud as non-root, but with addition of net-cap-bind-service capabilities, is in widespread use in Cloud.
Issue
Linux capabilities provide a subset of the available root privileges to a process. Given the higher privileges, application programs with added capabilities are therefore started in a secure-execution mode in Linux. For security reasons, if the dynamic linker determines that a binary should be run in secure-execution mode, the effects of some environment variables are voided or modified, and furthermore those environment variables are stripped from the environment, so that the program does not even see the definitions.
This means OpenSSL will not be able to see/read the OPENSSL_MODULES environment variable, and therefore will never load a provider. This renders the providers useless in situations where capabilities are added to applications, specifically the case for net-cap-bind-service capability.