Statically linked binary & NSS

Statically linked binary & NSS

[Lionel Cons]

I would like to create a statically linked binary but it seems that
the -static flag is not enough. The problem seems to come from glibc
dynamically loading some libnss_* libraries, depending on the contents
of /etc/nsswitch.conf.

Here is my test program:
    #include <stdio.h>
    #include <pwd.h>
    main()
    {
      struct passwd *p;
      p = getpwnam("root");
      if (p == NULL) {
    	printf("no root!\n");
      } else {
    	printf("root is %d\n", p->pw_uid);
      }
    }

# gcc -v
Reading specs from /usr/local/lib/gcc-lib/i686-pc-linux-gnu/egcs-2.91.57/specs
gcc version egcs-2.91.57 19980901 (egcs-1.1 release)
# gcc -static -o test test.c
# ./test
root is 0
# ldd ./test
        not a dynamic executable

So far so good but this still loads dynamic libraries:

# strace ./test
...
open("/etc/nsswitch.conf", O_RDONLY)    = 3
...
open("/lib/libnss_files.so.1", O_RDONLY) = 3

And this fails in a chroot jail:

# mkdir -p /tmp/jail/etc
# cp /etc/passwd /tmp/jail/etc
# cp /etc/nsswitch.conf /tmp/jail/etc
# cp test /tmp/jail
# chroot /tmp/jail /test
no root!
# strace chroot /tmp/jail /test
...
open("/etc/nsswitch.conf", O_RDONLY)    = 3
...
open("/lib/libnss_files.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
...

So, how can I create a really static binary? Are there some other
libraries dynamically loading files like this?

If this matters, I'm using Red Hat 5.1, glibc 2.0.7 and egcs 1.1.

Thanks in advance for any help...

________________________________________________________
Lionel Cons        http://wwwinfo.cern.ch/~cons
CERN               http://www.cern.ch
 
Boren's Laws:
	When in charge, ponder.
	When in trouble, delegate.
	When in doubt, mumble.

Re: Statically linked binary & NSS

[Ulrich Drepper]

Lionel Cons <Lionel.Cons@cern.ch> writes:

> I would like to create a statically linked binary but it seems that
> the -static flag is not enough.

Using NSS and -static contradict each other.  NSS always requires
dynamic loading.

-- 
---------------.      drepper at gnu.org  ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Cygnus Solutions `--' drepper at cygnus.com   `------------------------

Re: Statically linked binary & NSS

[Lionel Cons]

Ulrich Drepper writes:
 > Lionel Cons <Lionel.Cons@cern.ch> writes:
 > 
 > > I would like to create a statically linked binary but it seems that
 > > the -static flag is not enough.
 > 
 > Using NSS and -static contradict each other.  NSS always requires
 > dynamic loading.

Why can't I link all the libnss_* libraries statically so that a
dynamic loading is not needed anymore? I don't see any technical
problem that would prevent this. The code calling the right routines
in the right libraries just has to be careful...

________________________________________________________
Lionel Cons        http://wwwinfo.cern.ch/~cons
CERN               http://www.cern.ch
 
Boren's Laws:
	When in charge, ponder.
	When in trouble, delegate.
	When in doubt, mumble.

Re: Statically linked binary & NSS

[Andreas Jaeger]

>>>>> Lionel Cons writes:

 > I would like to create a statically linked binary but it seems that
 > the -static flag is not enough. The problem seems to come from glibc
 > dynamically loading some libnss_* libraries, depending on the contents
 > of /etc/nsswitch.conf.

 > ...
 > open("/etc/nsswitch.conf", O_RDONLY)    = 3
 > ...
 > open("/lib/libnss_files.so.1", O_RDONLY) = 3

 > And this fails in a chroot jail:
So just copy those files into you chroot environment!

 > # mkdir -p /tmp/jail/etc
 > # cp /etc/passwd /tmp/jail/etc
 > # cp /etc/nsswitch.conf /tmp/jail/etc
 > # cp test /tmp/jail
 > # chroot /tmp/jail /test
 > no root!
 > # strace chroot /tmp/jail /test
 > ...
 > open("/etc/nsswitch.conf", O_RDONLY)    = 3
 > ...
 > open("/lib/libnss_files.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
 > ...

 > So, how can I create a really static binary? Are there some other
 > libraries dynamically loading files like this?
No, libnss_* are the only ones used.

 > If this matters, I'm using Red Hat 5.1, glibc 2.0.7 and egcs 1.1.

You're lucky that you're running Linux and not Solaris.  Under Solaris 
(which also uses NSS) it's impossible to link static at all.  With
glibc you're linking static programs which are not really static.

glibc 2.1 will contain a solution.  But I don't encourage you to use
it;-).  I'm appending a FAQ entry from 2.1 for the details.  Please
note that 2.1 isn't released yet, only test releases are available.

Andreas


2.22.	Even statically linked programs need some shared libraries
	which is not acceptable for me.  What can I do?

{AJ} NSS (for details just type `info libc "Name Service Switch"') won't
work properly without shared libraries.  NSS allows using different services
(e.g. NIS, files, db, hesiod) by just changing one configuration file
(/etc/nsswitch.conf) without relinking any programs.  The only disadvantage
is that now static libraries need to access shared libraries.  This is
handled transparently by the GNU C library.

A solution is to configure glibc with --enable-static-nss.  In this case you
can create a static binary that will use only the services dns and files
(change /etc/nsswitch.conf for this).  You need to link explicitly against
all these services. For example:

  gcc -static test-netdb.c -o test-netdb.c \
    -lc -lnss_files -lnss_dns -lresolv

The problem with this approach is that you've got to link every static
program that uses NSS routines with all those libraries.

{UD} In fact, one cannot say anymore that a libc compiled with this
option is using NSS.  There is no switch anymore.  Therefore it is
*highly* recommended *not* to use --enable-static-nss since this makes
the behaviour of the programs on the system inconsistent.




-- 
 Andreas Jaeger   aj@arthur.rhein-neckar.de    jaeger@informatik.uni-kl.de
  for pgp-key finger ajaeger@aixd1.rhrk.uni-kl.de

Re: Statically linked binary & NSS

[Nick Ing-Simmons]

Lionel Cons <Lionel.Cons@cern.ch> writes:
>Ulrich Drepper writes:
> > Lionel Cons <Lionel.Cons@cern.ch> writes:
> > 
> > > I would like to create a statically linked binary but it seems that
> > > the -static flag is not enough.
> > 
> > Using NSS and -static contradict each other.  NSS always requires
> > dynamic loading.
>
>Why can't I link all the libnss_* libraries statically so that a
>dynamic loading is not needed anymore? I don't see any technical
>problem that would prevent this. The code calling the right routines
>in the right libraries just has to be careful...

Assuming NSS is "Name Service Switch: then that chooses which version of 
function(s) to _load_ based on the config file. 
It dynamic loads the appropriate library, which in turn needs the root 
executable to have the right hooks.
-- 
Nick Ing-Simmons <nik@tiuk.ti.com>
Via, but not speaking for: Texas Instruments Ltd.