From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 30778 invoked from network); 6 Jun 2023 17:54:44 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 6 Jun 2023 17:54:44 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1686074084;
	 b=mex1xGTKssJ7Fn407N76UBDeRBmDX3OQxgDVEtSi8S8N/z2/VvoenHVETv7h8nD7tf+qMpeJbT
	  BXIY6o80aWJ240Kxz2NI7S35ejN1QczGMhEs9Jj8OEoCd96VHegYkLpDmUXhReyYpIHSPkIG5O
	  Z/jQtUVuRWj6UG6Jeg0sWM9twE/eo3P0Ero72llggOvO3JxonDeAKf8CxBbMWEF0idYyr45zYL
	  BGByLBwPhZ3w+ziK2ZNdb9nDkUJqEQpgQ9WQI9XVXng1Ax2v4aXbizpS9pXslCclMRSg6vuo+5
	  BkgAwWAA8w+VDwbFCZ3Gs/bKaWRefM1CVjsKLC1vsW21Sw==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (mail-ej1-f48.google.com) smtp.remote-ip=209.85.218.48;
	dkim=pass header.d=gmail.com header.s=20221208 header.a=rsa-sha256;
	dmarc=pass header.from=gmail.com;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1686074084;
	bh=HqhV+RNj54+EMvyF7uDoWM77qmtKfzFOz90diwdFRAE=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID:Date:From:References:
	  In-Reply-To:MIME-Version:DKIM-Signature:DKIM-Signature;
	b=KIDQyGQgGfYoavDV4+gwNbLOQ0tKdiF8T1+JJdCQPQKLgCo7zb/iDkHUKBgqqrRfpQr9WRGGKZ
	  vGstdGdBengShhUb+tiTH0fwco2CJqmxxcADRK5M71oaCtyqO4uRKd15KyEmLZCKN5g5JMYDZZ
	  7bG7PUZLeONpjsJcuxhIwHG9eK3Oev8iHyckcuYNOH6aZmAzPsVEHFGGdPVhx8eoqG1ILhUW6+
	  i+PHrpE1FdnOVM6KLjG50SWAJxTKMl/ceUHozRlLq3TnUdSeFgSV19/Q4deihARO0tFZVF2bvR
	  qH4kw9vgQr4baJqDbI/Y8/tzd21kPQpwb7B3fe/Xi9tnvg==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID
	:Date:From:References:In-Reply-To:MIME-Version:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=InQAADFUBpukOyGLXjOdq0rj6c5Fdo7D4yr9vxv3cLM=; b=sd0mu2RRH7E1XNUn9ghTqLitG+
	IRHsGimSkjNxeQ43HUIgh0lrBCWUaZpTZRBBncGCNIujJg7jJCiDMuaPW9ZgwE8lPSuv0cNTJBoxQ
	AtOotCr7HpJsqkwcAs/T8lDVDTttZPzyuw1PhjTw8HEuA+OMgSRCRjashIjd68RGEkx0q/dCd9nwF
	onHIgMeWGVMkiLgnup3N8QI7IoYGTwpDsInkgkcU3zAkpQWKw/USzplkh+qHblkqHNUx/39lxsVs7
	joawTouLddtKGjHKp9Tljm3rNOtc4+MPLqMMXi6aYaAZkHWWVMcZvf9xivRFSAUM5LKfK41FLO9X2
	G8/+qt8Q==;
Received: by zero.zsh.org with local
	id 1q6atH-000NZF-3E;
	Tue, 06 Jun 2023 17:54:43 +0000
Authentication-Results: zsh.org;
	iprev=pass (mail-ej1-f48.google.com) smtp.remote-ip=209.85.218.48;
	dkim=pass header.d=gmail.com header.s=20221208 header.a=rsa-sha256;
	dmarc=pass header.from=gmail.com;
	arc=none
Received: from mail-ej1-f48.google.com ([209.85.218.48]:45298)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128)
	id 1q6ash-000NH7-UH;
	Tue, 06 Jun 2023 17:54:08 +0000
Received: by mail-ej1-f48.google.com with SMTP id a640c23a62f3a-97000a039b2so1029919466b.2
        for <zsh-workers@zsh.org>; Tue, 06 Jun 2023 10:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1686074047; x=1688666047;
        h=cc:to:subject:message-id:date:from:references:in-reply-to
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=InQAADFUBpukOyGLXjOdq0rj6c5Fdo7D4yr9vxv3cLM=;
        b=mhXaEh7JD6c8Dy0DVP7hbXgFI1PflUuOV2wLUQd6YMy+ICvHPfufFNLHHS18QCFGX0
         PNsBVOGEnsDVUs5BgbCqhR5nERSuqUI/IRd+ul41hcc0+XQsMNzBDcXk1NiC7J6PLbaa
         fWKEn1rYffY15X0UO9uQmt1DFUJual6WIVgUO7XhQ7ybni/X/wdCIbj8eAnIFSSKNM9/
         jW8CmtDxS4+tYAjH0FaTOLdZM13XooF8RU9zuFTLVDNYduTz6KyU2bc2U8KnLf8Aorkn
         Zf74IbheVDDuI73yB/9IE8Q/l1NagZAO2UaqWEI6/aUikw+jvbH3yw8Tn4h6o9/Ps18G
         3aSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1686074047; x=1688666047;
        h=cc:to:subject:message-id:date:from:references:in-reply-to
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=InQAADFUBpukOyGLXjOdq0rj6c5Fdo7D4yr9vxv3cLM=;
        b=IAeEmrLrmjdpd+luqBjDqzVKZb0ewvWPaN7psFbC+at3frwLnzEzSen5CppETQz8UJ
         eFB+dlwHVb1re/nPs1qXu73rvS8Bc3Ow/H4L9C89SQlYW5ROrAxYBVZOXZ4IcU49rqFV
         P/eLZPrabxLl7lfkjQZZ3pB/CAuX/ZJ2sqd0Zl+M3ui8v7SFTyoS94kB2g7DVWnq+N32
         lF3RC7ZZ3wG/ugEqxRGiIHaumNDn94t2jTPqaQG/r8fMl6oizQl3XFqLAH3woyjQN4KJ
         1T/ybvS015YaD8HtX0DOGUGxYWJGYo5jOXwFS2Qz87+6Bejq3md1+lXMhRQ1m2z2Bq6P
         qJOw==
X-Gm-Message-State: AC+VfDwSK6SdOZXBKLPxQHsa6wGZv8M8z8wFdPc7ocZiLAhXUpM2GWtJ
	VKxE39Em3QekHpd7Juwz0n/vphvx9PlV39b8WFAK5z/p
X-Google-Smtp-Source: ACHHUZ5YQdf5RnxhP21TCd7Fus6Ro5ZGPX5NwsoQaxz1ZBTyNpB0mvx8oEbiEtQ3XNIewzNncmbAbwgF+K2GgFX9OKM=
X-Received: by 2002:a17:907:eab:b0:973:91f7:5092 with SMTP id
 ho43-20020a1709070eab00b0097391f75092mr4512304ejc.2.1686074047048; Tue, 06
 Jun 2023 10:54:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:906:58d4:b0:977:e915:2f69 with HTTP; Tue, 6 Jun 2023
 10:54:06 -0700 (PDT)
In-Reply-To: <9d6e40041e3786987f54adf1080d201085b08625.camel@fifi.org>
References: <afe7b7c7-0e47-26be-0d6d-7f7ca5891108@hostalia.de>
 <a9055641-4eb8-5d8f-229a-b38dbc63f706@hostalia.de> <027f2a491b638e2ffaf7766fe4adf29537c11fdf.camel@fifi.org>
 <227fe72b-7441-935c-55a7-421945da54b3@hostalia.de> <CAH+w=7b3L+ZQ5P6xnxsJ-gG_Mx74jpn-UkTZt8P3ZYj1xc1bZg@mail.gmail.com>
 <FF8D1182-CFF2-4831-BFF0-5232258508CC@kba.biglobe.ne.jp> <1604572963.1688389.1686042332603@mail.virginmedia.com>
 <9B5553E5-9CBD-4E6A-88E4-2ABFA1305552@kba.biglobe.ne.jp> <890683328.5067391.1686063668614@mail.virginmedia.com>
 <9d6e40041e3786987f54adf1080d201085b08625.camel@fifi.org>
From: Mikael Magnusson <mikachu@gmail.com>
Date: Tue, 6 Jun 2023 19:54:06 +0200
Message-ID: <CAHYJk3SVH021V2dVk956MR5P3_UCFZ4JsnFirk9FB1NGpkSSeg@mail.gmail.com>
Subject: Re: [Bug] modules zsh/tcp, zsh/zftp unloadable, probably affecting
 most modern Linuxes
To: Philippe Troin <phil@fifi.org>
Cc: zsh-workers@zsh.org
Content-Type: text/plain; charset="UTF-8"
X-Seq: 51841
Archived-At: <https://zsh.org/workers/51841>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

On 6/6/23, Philippe Troin <phil@fifi.org> wrote:
> On Tue, 2023-06-06 at 16:01 +0100, Peter Stephenson wrote:
>> > On 06/06/2023 15:38 Jun. T <takimoto-j@kba.biglobe.ne.jp> wrote:
>> >
>> >
>> > > 2023/06/06 18:05, Peter Stephenson <p.w.stephenson@ntlworld.com>
>> > > wrote:
>> > >
>> > > > On 06/06/2023 07:42 Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
>> > > >
>> > > > Why '-z now' is used when building binary packages? For
>> > > > security?
>> > >
>> > > I think this is just so that failure to find symbols at all will
>> > > show up quickly in the build rather than at run time, which would
>> > > be a real pain.
>> >
>> > I think '-z now' is to mark (add the flag) zftp.so so that the
>> > dynamic linker resolves all the symbols when _loading_ it;
>> > the symbols are not resolved when _building_ zftp.so.
>>
>> Yes, it does say it gets applied at the point of dlopen(), so it's
>> explicitly counteracting RTLD_LAZY.
>>
>> Is this specific to the Fedora configuration in their own source
>> package?  I don't see an obvious sign the standard zsh build itself
>> is making this choice.  configure has some system-specific tweaks
>> for dynamic loading, but not this.
>
> "-z now" is automatically added to all builds by the hardening
> configuration on RedHat/Fedora and possibly derived distributions:
>
>    % ag -- -Wl.*now /usr/lib/rpm/
>    /usr/lib/rpm/macros.d/macros.rust
>    46:  -Clink-arg=-Wl,-z,now
>
>    /usr/lib/rpm/redhat/macros
>    302:%_hardening_ldflags	 -Wl,-z,now %[ "%{toolchain}" == "gcc" ?
> "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ]

The zftp module's setup_ function is:
int
setup_(UNUSED(Module m))
{
    return (require_module("zsh/net/tcp", NULL, 0) == 1);
}

So the module providing the "missing" symbol will always be loaded
before any functions in zftp using it will be called, and there will
not be any failed symbol resolutions at runtime, which we indicate by
the RTLD_LAZY flag to dlopen().

The glibc manpage says
       RTLD_LAZY   Perform  lazy binding.  Resolve symbols only as the
code that references them
 is executed.  If the symbol is never referenced, then it is  never  resolved.

The posix manpage does not agree with the glibc manpage and says
       RTLD_LAZY   Relocations shall be performed at an
implementation-defined time,  ranging  from  the  time of the dlopen()
call until the first reference to a given symbol occurs.

Ie, it allows the behavior in Fedora.

I guess it would probably not be very hard to make this work on both
setups. Another workaround you (or the packager) could do in the
meantime is to statically link the tcp module.

-- 
Mikael Magnusson