aix

Disabling AIX /usr/bin/sh clearing of LIBPATH, NLSPATH, and LD_LIBRARY_PATH


I expect a shell not to modify LIBPATH and most other environment variables. On some but not all AIX systems, /usr/bin/sh (notable for being the shell behind system(3)) clears variables LIBPATH, LD_LIBRARY_PATH, and NLSPATH. ksh and bash do not. Test shell script:

export LIBPATH=/none1 LD_LIBRARY_PATH=/none2 NLSPATH=/none3 LiBPATH=/none4
for shell in /usr/bin/sh ksh bash; do
    echo "=== $shell"
    $shell -c env | grep /none
done

I expect output like this, and I get it on some AIX systems:

=== /usr/bin/sh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== ksh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== bash
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2

Variable-clearing systems give this output instead:

=== /usr/bin/sh
LiBPATH=/none4
=== ksh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== bash
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2

How can one disable this variable-clearing behavior? I'd like to disable it to restore compatibility of system(3) with older AIX and with Linux.

Differences observed between systems:

  1. As of 2023-05-11, a system with $(oslevel -s)=7200-04-03-2038 did not clear these variables.
  2. After some kind of system change and reboot on 2023-05-12, that same system now does clear these variables. The system still reports level 7200-04-03-2038. This system is gcc119.fsffrance.org, a member of the GCC Compile Farm. I don't have details on the system change. (I inferred it from the uptime and from find /usr /opt /etc -mtime -30 -ls 2>/dev/null.) I could ask the admin.
  3. A system with oslevel 7100-05-06-2028 does not clear these variables. This system is gcc111.fsffrance.org, also a member of the GCC Compile Farm.

Shell versions for system (2), the variable-clearing system:

$ lslpp -l bos.rte.shell
  Fileset                      Level  State      Description         
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.rte.shell              7.2.4.2  COMMITTED  Shells (bsh, ksh, csh)

Path: /etc/objrepos
  bos.rte.shell              7.2.4.2  COMMITTED  Shells (bsh, ksh, csh)
$ ls -l /usr/bin/ksh /usr/bin/sh
-r-xr-xr-x    5 bin      bin          317840 Sep 23 2020  /usr/bin/ksh
-r-xr-xr-x    5 bin      bin          317840 Sep 23 2020  /usr/bin/sh

On system (2), no package known to lslpp is newer than year 2020:

$ lslpp -Lc all | grep ':[0-9]\{4\}$' | sed 's/.*://' | sort | uniq -c
   1 1241
 297 1543
   2 1614
   8 1642
   6 1731
   4 1806
  42 1837
  46 1845
   2 1913
 332 1937
  43 2015
   1 2027
 117 2037

Solution

  • /etc/security/privcmds contained:

    /bin/sh:
            accessauths = ALLOW_ALL
    

    Removing that and running setkst disabled the variable clearing. Under the removed configuration, role based access control (RBAC) "governs the privileges assigned to the process". "For a process configured with RBAC elevated privileges" the question's three variables and also LDR_PRELOAD are reset. Apparently, enrolling a process in RBAC is enough to reset the variables, even if no RBAC privilege grants appear.