openssl/openssl

OpenSSL can't see OPENSSL_MODULES env var when using Linux capabilities

Open

#21,770 创建于 2023年8月17日

在 GitHub 查看
 (27 评论) (0 反应) (0 负责人)C (11,262 fork)batch import
backlog fixhelp wantedtriaged: feature

仓库指标

Star
 (30,157 star)
PR 合并指标
 (30 天内没有已合并 PR)

描述

Background

OpenSSL, and specifically the libssl part of it, is primarily used for network encryption. In Cloud, it is generally good practice that an application which uses of OpenSSL is NOT running as root. This prevents the application from binding to a privileged network:port (e.g. 443, typically any port < 1024), UNLESS the net-cap-bind-service capability is added to the application (e.g. sudo setcap cap_net_bind_service=+ep /path/to/application) As a result, running an application in Cloud as non-root, but with addition of net-cap-bind-service capabilities, is in widespread use in Cloud.

Issue

Linux capabilities provide a subset of the available root privileges to a process. Given the higher privileges, application programs with added capabilities are therefore started in a secure-execution mode in Linux. For security reasons, if the dynamic linker determines that a binary should be run in secure-execution mode, the effects of some environment variables are voided or modified, and furthermore those environment variables are stripped from the environment, so that the program does not even see the definitions.

This means OpenSSL will not be able to see/read the OPENSSL_MODULES environment variable, and therefore will never load a provider. This renders the providers useless in situations where capabilities are added to applications, specifically the case for net-cap-bind-service capability.

贡献者指南