primus icon indicating copy to clipboard operation
primus copied to clipboard

Published 20 hours ago verified publisher icon amonakov

primusrun with suid binaries.

Open rvega opened this issue 8 years ago • 3 comments
trafficstars

primusrun uses LD_LIBARARY_PATH to use /usr/lib/primus/libGL.so.1 with precedence over /usr/lib/libGL.so.1. This works fine for most cases. However, when running a suid binary such as virtualbox, the LD_LIBRARY_PATH variable is ignored and only the system paths are used so the primus version of libGL.so.1 is not loaded.

¿How can this be fixed? My particular case is I want to run virtualbox with primusrun. More details of my issue here.

rvega avatar Apr 30 '17 17:04 rvega

It can't be fixed. Otherwise you could inject random code into suid binaries and do privilege escalation attacks quite easily.

karolherbst avatar May 01 '17 10:05 karolherbst

In the past VirtualBox used to support CR_SYSTEM_GL_PATH variable that could be used to load an alternative libGL.so. In principle it could be used to load primus libGL, if all other libraries are present on default search paths.

Diagnostics shown in the linked thread look strange, there's a mix of system paths and nvidia-specific paths in the first message (I think this means that bumblebee config was incorrectly changed, or the primusrun script itself), followed by NULL diagnostics from dlopen which shouldn't happen. Mentions of libraries being copied/symlinked to system locations in further posts also look worrysome.

Also note that since the main virtualbox executable is normally suid-root, it starts running with elevated privileges even without sudo; security depends on how carefully it drops privileges afterwards (which in principle it could do even under sudo, but I have no idea if it any support is in place for that).

amonakov avatar May 01 '17 11:05 amonakov

Thanks for the replies.

The symlinks and copies in the linked thread were simply attempts to get things working. They were removed and bumblebee and the primus script are installed as default. Here is where I'm at right now:

CR_SYSTEM_GL_PATH="/usr/lib/primus/" primusrun virtualbox --startvm Solidworks                                <<<
primus: fatal: failed to load any of the libraries: /usr/lib/nvidia/libGL.so.1:/usr/lib32/nvidia/libGL.so.1:/usr/lib/libGL.so.1:/usr/lib32/libGL.so.1  
(null)
(null)
(null)
(null)
Qt WARNING: QObject::~QObject: Timers cannot be stopped from another thread

or with sudo:

sudo CR_SYSTEM_GL_PATH="/usr/lib/primus/" primusrun virtualbox --startvm Solidworks
primus: fatal: failed to load any of the libraries: /usr/lib/nvidia/libGL.so.1:/usr/lib32/nvidia/libGL.so.1:/usr/lib/libGL.so.1:/usr/lib32/libGL.so.1
(null)
(null)
(null)
(null)

In both cases, I get the following in dmesg:

[  336.928938] bbswitch: enabling discrete graphics
[  337.073077] nvidia-nvlink: Nvlink Core is being initialized, major device number 245
[  337.073089] NVRM: loading NVIDIA UNIX x86_64 Kernel Module  375.39  Tue Jan 31 20:47:00 PST 2017
[  337.073090]  (using threaded interrupts)

[  337.084063] vgaarb: this pci device is not a vga device
[  337.085696] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085728] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085743] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085763] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085779] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085801] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.085816] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.108081] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.249143] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  375.39  Tue Jan 31 19:41:48 PST 2017
[  337.249795] nvidia-modeset: Allocated GPU:0 (GPU-d34257ac-44c6-552b-e22d-97c4bd65908a) @ PCI:0000:01:00.0
[  337.249969] nvidia-modeset: Freed GPU:0 (GPU-d34257ac-44c6-552b-e22d-97c4bd65908a) @ PCI:0000:01:00.0
[  337.251846] vgaarb: this pci device is not a vga device
[  337.982649] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  337.986707] nvidia-modeset: Unloading
[  338.001708] nvidia-nvlink: Unregistered the Nvlink Core, major device number 245
[  338.016188] bbswitch: disabling discrete graphics
[  338.016205] ACPI Warning: \_SB.PCI0.RP01.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20160831/nsarguments-95)
[  338.031647] pci 0000:01:00.0: Refused to change power state, currently in D0

Also, I have the intel_iommu=on kernel parameter set and dmesg shows that iommu is being enabled.

rvega avatar May 09 '17 22:05 rvega