Message 365824 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dgelessus
Recipients	dgelessus, ned.deily, ronaldoussoren
Date	2020-04-05.20:20:48
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1586118049.02.0.786646499236.issue40198@roundup.psfhosted.org>
In-reply-to

Content
Recent Python.org versions of Python for macOS no longer respect the DYLD_LIBRARY_PATH environment variable for extending the dynamic library search path, and the envvar is completely invisible to the Python process. This is the case since at least Python 3.7.7 and Python 3.8.2. It was not the case with Python 3.7.5 or Python 3.8.0 or any earlier versions (I haven't tested 3.7.6 and 3.8.1). For example: $ python3.6 --version Python 3.6.8 $ DYLD_LIBRARY_PATH=tests/objc python3.6 -c 'import os; print(os.environ.get("DYLD_LIBRARY_PATH"))' tests/objc $ python3.7 --version Python 3.7.7 $ DYLD_LIBRARY_PATH=tests/objc python3.7 -c 'import os; print(os.environ.get("DYLD_LIBRARY_PATH"))' None This seems to be because the Python binaries now fulfill the requirements for notarization (as mentioned in https://www.python.org/downloads/release/python-377/#macos-users), which includes enabling the hardened runtime (https://developer.apple.com/documentation/security/hardened_runtime), which by default hides DYLD_LIBRARY_PATH (and other DYLD_... envvars) from the hardened binary. To disable this protection and allow using DYLD_... envvars again, the entitlement com.apple.security.cs.allow-dyld-environment-variables (https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-dyld-environment-variables) can be added to a hardened binary. The Python binaries seem to have some entitlements, but not .allow-dyld-environment-variables: $ codesign --display --entitlements=:- python3.7 Executable=/Library/Frameworks/Python.framework/Versions/3.7/bin/python3.7 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> </dict> </plist> Would it be possible to add this entitlement to the Python binaries, so that DYLD_LIBRARY_PATH can be used again, as was possible in previous versions?

Recent Python.org versions of Python for macOS no longer respect the DYLD_LIBRARY_PATH environment variable for extending the dynamic library search path, and the envvar is completely invisible to the Python process. This is the case since at least Python 3.7.7 and Python 3.8.2. It was *not* the case with Python 3.7.5 or Python 3.8.0 or any earlier versions (I haven't tested 3.7.6 and 3.8.1). For example:

$ python3.6 --version
Python 3.6.8
$ DYLD_LIBRARY_PATH=tests/objc python3.6 -c 'import os; print(os.environ.get("DYLD_LIBRARY_PATH"))'
tests/objc
$ python3.7 --version
Python 3.7.7
$ DYLD_LIBRARY_PATH=tests/objc python3.7 -c 'import os; print(os.environ.get("DYLD_LIBRARY_PATH"))'
None

This seems to be because the Python binaries now fulfill the requirements for notarization (as mentioned in https://www.python.org/downloads/release/python-377/#macos-users), which includes enabling the hardened runtime (https://developer.apple.com/documentation/security/hardened_runtime), which by default hides DYLD_LIBRARY_PATH (and other DYLD_... envvars) from the hardened binary.

To disable this protection and allow using DYLD_... envvars again, the entitlement com.apple.security.cs.allow-dyld-environment-variables (https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-dyld-environment-variables) can be added to a hardened binary. The Python binaries seem to have some entitlements, but not .allow-dyld-environment-variables:

$ codesign --display --entitlements=:- python3.7
Executable=/Library/Frameworks/Python.framework/Versions/3.7/bin/python3.7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>

Would it be possible to add this entitlement to the Python binaries, so that DYLD_LIBRARY_PATH can be used again, as was possible in previous versions?

History
Date	User	Action	Args
2020-04-05 20:20:49	dgelessus	set	recipients: + dgelessus, ronaldoussoren, ned.deily
2020-04-05 20:20:49	dgelessus	set	messageid: <1586118049.02.0.786646499236.issue40198@roundup.psfhosted.org>
2020-04-05 20:20:48	dgelessus	link	issue40198 messages
2020-04-05 20:20:48	dgelessus	create