[issue40198] macOS Python builds from Python.org ignore DYLD_LIBRARY_PATH due to hardened runtime

Sun, 05 Apr 2020 13:21:25 -0700 


New submission from dgelessus <dgelessus+bugs.python....@me.com>:

Recent Python.org versions of Python for macOS no longer respect the 
DYLD_LIBRARY_PATH environment variable for extending the dynamic library search 
path, and the envvar is completely invisible to the Python process. This is the 
case since at least Python 3.7.7 and Python 3.8.2. It was *not* the case with 
Python 3.7.5 or Python 3.8.0 or any earlier versions (I haven't tested 3.7.6 
and 3.8.1). For example:

$ python3.6 --version
Python 3.6.8
$ DYLD_LIBRARY_PATH=tests/objc python3.6 -c 'import os; 
print(os.environ.get("DYLD_LIBRARY_PATH"))'
tests/objc
$ python3.7 --version
Python 3.7.7
$ DYLD_LIBRARY_PATH=tests/objc python3.7 -c 'import os; 
print(os.environ.get("DYLD_LIBRARY_PATH"))'
None

This seems to be because the Python binaries now fulfill the requirements for 
notarization (as mentioned in 
https://www.python.org/downloads/release/python-377/#macos-users), which 
includes enabling the hardened runtime 
(https://developer.apple.com/documentation/security/hardened_runtime), which by 
default hides DYLD_LIBRARY_PATH (and other DYLD_... envvars) from the hardened 
binary.

To disable this protection and allow using DYLD_... envvars again, the 
entitlement com.apple.security.cs.allow-dyld-environment-variables 
(https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-dyld-environment-variables)
 can be added to a hardened binary. The Python binaries seem to have some 
entitlements, but not .allow-dyld-environment-variables:

$ codesign --display --entitlements=:- python3.7
Executable=/Library/Frameworks/Python.framework/Versions/3.7/bin/python3.7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>

Would it be possible to add this entitlement to the Python binaries, so that 
DYLD_LIBRARY_PATH can be used again, as was possible in previous versions?

----------
components: macOS
messages: 365824
nosy: dgelessus, ned.deily, ronaldoussoren
priority: normal
severity: normal
status: open
title: macOS Python builds from Python.org ignore DYLD_LIBRARY_PATH due to 
hardened runtime
versions: Python 3.7, Python 3.8

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue40198>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to