build-fhsenv-bubblewrap includes /usr/lib and /usr/lib32 in LD_LIBRARY_PATH

[LunNova]

nixpkgs/pkgs/build-support/build-fhsenv-bubblewrap/buildFHSEnv.nix

Line 86 in f2efc7f

export LD_LIBRARY_PATH="/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"

Why does buildFHSEnv include /usr/lib and /usr/lib64 in LD_LIBRARY_PATH? Having them mounted at those locations should be sufficient for apps built for FHS systems to work.

Including them in LD_LIBRARY_PATH causes these libraries to be used even for nix-built packages with proper dependencies on store paths, leading to runtime crashes. An example of this sort of crash occurs when running nix inside a shell inside vscode-fhs as it runs against incorrect libraries.

Is there a case where FHS binaries require LD_LIBRARY_PATH as well?

I've tested vscode-fhs and steam with a small patch to remove these two entries and they work fine but I'd assume there was some reason for including these and I've just not tested it.

@Atemu

Some examples of issues I've ran into that had this as a root cause, when running programs inside a FHS shell:

$ fish: Job 5, 'whoami' terminated by signal SIGSEGV (Address boundary error)
fish: Job 4, 'basename (string trim -l -c '-'…' terminated by signal SIGSEGV (Address boundary error)
fish: Process 352878, 'wc' from job 3, 'jobs -c | command wc -l' terminated by signal SIGSEGV (Address boundary error)
fish: Process 352841, 'sed' from job 2, '__fish_git_prompt | command sed…' terminated by signal SIGSEGV (Address boundar

$ nixpkgs-fmt .
*** stack smashing detected ***: terminated
fish: Job 1, 'nixpkgs-fmt .' terminated by signal SIGABRT (Abort)

[nbdd0121]

LD_LIBRARY_PATH problematic because it has priority over RUNPATH inside ELF. I don't think they are any useful because in FHS env /etc/ld.so.conf already contains all these paths.

[nbdd0121]

For some reason it seems that without LD_LIBRARY_PATH ld.so is unable to find libraries.

I have a precompiled clang, and ldd shows:

> ldd clang
        linux-vdso.so.1 (0x00007ffff7fc8000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007ffff7fbd000)
        librt.so.1 => /lib/librt.so.1 (0x00007ffff7fb8000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007ffff7fb3000)
        libz.so.1 => /lib/libz.so.1 (0x00007ffff7f94000)
        libtinfo.so.5 => /lib/libtinfo.so.5 (0x00007ffff7f2c000)
        libm.so.6 => /lib/libm.so.6 (0x00007ffff7e4a000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007ffff7e29000)
        libc.so.6 => /lib/libc.so.6 (0x00007ffff7c42000)
        /lib64/ld-linux-x86-64.so.2 => /nix/store/pq23w2wmy4kzndyv06c1a6k0mkpqhff4-glibc-multi-2.37-45/lib/ld-linux-x86-64.so.2 (0x00007ffff7fca000)

> LD_LIBRARY_PATH= ldd clang
        linux-vdso.so.1 (0x00007ffff7fc8000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007ffff7fba000)
        librt.so.1 => /lib/librt.so.1 (0x00007ffff7fb5000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007ffff7fb0000)
        libz.so.1 => /lib/libz.so.1 (0x00007ffff7f91000)
        libtinfo.so.5 => not found
        libm.so.6 => /lib/libm.so.6 (0x00007ffff7eaf000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00007ffff7e8e000)
        libc.so.6 => /lib/libc.so.6 (0x00007ffff7ca7000)
        /lib64/ld-linux-x86-64.so.2 => /nix/store/pq23w2wmy4kzndyv06c1a6k0mkpqhff4-glibc-multi-2.37-45/lib/ld-linux-x86-64.so.2 (0x00007ffff7fca000)

It seems that /lib is not searched because ld.so is installed prefixed.

> ld.so --help
<snip>
Shared library search path:
  (libraries located via /nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/etc/ld.so.cache)
  /nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib (system search path)
  /nix/store/jd99cyc0251p0i5y69w8mqjcai8mcq7h-xgcc-12.2.0-libgcc/lib (system search path)
<snip>

and the prefixed path only have the basics.

However I am still trying to understand why ld.so.cache is not used at all, since it's correctly symlinked:

> ll /nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/etc
total 5
lrwxrwxrwx 1 gary   users     16 Oct 26 12:29 ld.so.cache -> /etc/ld.so.cache
lrwxrwxrwx 1 gary   users     15 Oct 26 12:29 ld.so.conf -> /etc/ld.so.conf
-r--r--r-- 1 nobody nogroup 1634 Jan  1  1970 rpc

[nbdd0121]

It appears things in ld.so.cache is only generated if they're referred to with their SONAME. So in this case libtinfo.so.5 is not found because the cache contains only libncursesw.so.5 but no libtinfo.so.5. It appears that in this case using LD_LIBRARY_PATH is essential for ld.so to be able to discover libtinfo.so.5.

This is unfortunate because this means that #263201 is breaking. If LD_LIBRARY_PATH is absent then the program cannot find the so, if it's present then it takes priority over RUNPATH in elfs and break things that's linked to a specific glibc version. I feel that we want something that has similar semantics to LD_LIBRARY_PATH but has lower priority than RUNPATH, but I don't think this thing exist.

[nbdd0121]

Turns out there's an existing issue #218534

[wentasah]

Also #89769 seems relevant.

[LunNova]

Closing as #263201 was merged.