ruby-odbc (0.9995, and also 0.9994) builds fine on Gentoo Hardened. But if it is used in a ruby script, it prints out the error message "INTERN (0) [RubyODBC]Cannot allocate SQLHENV (ODBC::Error)" on connect. I used this simple script: require 'odbc' connection = ODBC.connect('odbc-source', 'user', 'password') connection.disconnect Together with the Christian Werner, the author of ruby-odbc, we tryed a lot of things, like rebuilding the ldcache, but all seemed to be ok. But than we found out that compiling it with "--disable-dlopen" solves it. Also together with Pappy of the Gentoo Hardened team we found out that switching the compiler from hardened to vanilla gcc and than compiling ruby-odbc, also works. Pappy could reproduce this in his chroot. Some version info: dev-ruby/ruby-1.8.5_p2 USE="-cjk -debug -doc -examples -ipv6 -socks5 -threads -tk" dev-ruby/ruby-odbc-0.9995 USE="unicode" dev-db/unixODBC-2.2.11-r1 USE="-qt3" dev-db/freetds-0.62.3 USE="mssql odbc" emerge --info: Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.20-hardened-r2 i686) ================================================================= System uname: 2.6.20-hardened-r2 i686 Pentium III (Coppermine) Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 08 May 2007 01:47:01 +0000 dev-lang/python: 2.4.4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe -fforce-addr -msse -mfpmath=sse" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -pipe -fforce-addr -msse -mfpmath=sse" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="animgif apache2 berkdb crypt gd gif hal hardened imagemagick jpeg jpeg2k lm_sensors midi mysql mysqli nls odbc pam pic png readline sse sse2 ssl svg syslog tcpd truetype unicode unzip urandom vhosts x86 xml xorg zip zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS Reproducible: Always Steps to Reproduce:
Created attachment 120296 [details] Customized ebuild of ruby-odbc This is a customized ebuild of ruby-odbc that introduces a new use flag "nodlopen" so you can control whether dlopen is used. Default is to use it.
thx
Is this still an issue with ruby-odbc-0.99991 ?
(In reply to comment #3) > Is this still an issue with ruby-odbc-0.99991 ? Hi Hans, Yes,the same error occures with 0.99991. The only way to get it to work is with my custom ebuild... Greetings,,,
I think having a USE flag for that is not a good solution, because it is not intuitive. If the build fails people won't really know to use nodlopen unless they happen to find this bug. Ideally we should have some kind of solution that either selects this option when using a hardened compiler automatically, or simply not use dlopen at all, but I'm not sure what the implication is for normal builds. @hardened: any advice on how to handle this?
Force-disable dlopen. This way it's linked at build-time which generally speaking is a better choice, for a distribution like ours, because it disallows users from trying to load libraries with different ABI.
(In reply to comment #6) > Force-disable dlopen. This way it's linked at build-time which generally > speaking is a better choice, for a distribution like ours, because it disallows > users from trying to load libraries with different ABI. Fixed in ruby-odbc-0.99991-r1.
Thank you! Great!