I'm writing an application that has both Python and C++ libraries. The Python part needs to send and receive raw packets, so I'm giving the Python executable the CAP_NET_RAW capability.
I also load C++ shared libraries with Cython in the same program. I want to compile the shared libraries with relative paths for dependencies - i.e., use the $ORIGIN special variable.
However, because Python has the CAP_NET_RAW capability, Linux treats as a setuid program and ignores the $ORIGIN string inside the shared libraries' dependencies definitions, so they fail to load:
For security, the dynamic linker does not allow use of
$ORIGINsubstitution sequences for set-user and set-group ID programs. For such sequences that appear within strings specified byDT_RUNPATHdynamic array entries, the specific search path containing the$ORIGINsequence is ignored (though other search paths in the same string are processed).$ORIGINsequences within aDT_NEEDEDentry or path passed as a parameter todlopen()are treated as errors. The same restrictions may be applied to processes that have more than minimal privileges on systems with installed extended security mechanisms.
This security feature causes us a lot of pain. We have to compile shared libraries will full path dependencies and they are not portable between development machines.
Is there any way to disable this security feature in Linux so that $ORIGIN will be interpreted for programs with extra capabilities?
