Hi,
So I’m experiencing an odd behavior of a snap package I’m maintaining. This package requires tcpdump and libpcap8.0, which is staged and shipped with the snap.
For a while I’ve been investigating why it works on my laptop (Ubuntu Desktop) and a RPi3 with Ubuntu Server, but not on my RPi4 with Ubuntu Core.
So Yesterday I re-installed a new version of Ubuntu Server and installed the snap. It worked as expected.
Then I realized that the packages tcpdump and libpcap8.0 is pre-installed on Ubuntu Server, through apt.
So I uninstalled them and did a reboot. Now the snap won’t work anymore.
It’s the Python program scapy
that uses the above packages. I have narrowed the problem down to the method find_library
within the ctypes.util
module. The documentation says that it will use
ctypes.util.find_library(name)
Try to find a library and return a pathname. name is the library name without any prefix like lib, suffix like .so, .dylib or version number (this is the form used for the posix linker option -l). If no library can be found, returns None.
The exact functionality is system dependent.
On Linux, find_library() tries to run external programs (/sbin/ldconfig, gcc, objdump and ld) to find the library file. It returns the filename of the library file.
Changed in version 3.6: On Linux, the value of the environment variable LD_LIBRARY_PATH is used when searching for libraries, if a library cannot be found by any other means.
I know that /usr/sbin/ldconfig
is available on the «main» system of Ubuntu, and also included in the core*
snap pacakges. It is not bundled with my snap.
However I don’t understand how ctypes.util
can gain access to this program and list system libraries? It shoudl be restricted access to the program ldconfig
, and fallback (from doc) to LD_LIBRARY_PATH, which is set correctly:
LD_LIBRARY_PATH:=/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl32:
/var/lib/snapd/void:/snap/<snap>/354/lib:/snap/<snap>/354/usr/lib:
/snap/<snap>/354/lib/aarch64-linux-gnu:
/snap/<snap>/354/usr/lib/aarch64-linux-gnu
But I guess it’s never used since ldconfig
is leaked into the snap package?
This is the PATH
:
PATH=/snap/<snap>/354/usr/sbin:/snap/<snap>/354/usr/bin:
/snap/<snap>/354/sbin:/snap/<snap>/354/bin:
/usr/local/sbin:/usr/local/bin:/usr/sbin:
/usr/bin:/sbin:/bin:/usr/games:
/usr/local/games
I could probably restrict this by doing a layout for /usr/sbin/
and every other path in the PATH
-variable that is not /snap/
. But shouldn’t it work like this by default, since the PATH
variable is set by default like this, and at least restrict access to files withing them?
Could also ship ldconfig
with the snap, but since ctypes.util
already have the information it needs in LD_LIBRARY_PATH
I figured it shouldn’t be unnecessary?