Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266673 - sys-apps/sandbox: unable to load libsandbox.so via LD_PRELOAD when filecaps are in use
Summary: sys-apps/sandbox: unable to load libsandbox.so via LD_PRELOAD when filecaps a...
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Sandbox Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-18 18:34 UTC by Bruno
Modified: 2018-12-29 15:57 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
/bin/ls, /bin/mv, /usr/lib/libsandbox.so (sandbox.tar,220.00 KB, application/octet-stream)
2009-04-26 17:02 UTC, Bruno
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno 2009-04-18 18:34:10 UTC
When emerging on Gentoo system I see following error quite often:
  ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored

I tried re-emerging portage, sandbox but it does not make any difference.

Reproducible: Always




Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.30-rc2 i686)
=================================================================
System uname: Linux-2.6.30-rc2-i686-Intel-R-_Pentium-R-_M_processor_1500MHz-with-glibc2.0
Timestamp of tree: Sat, 18 Apr 2009 09:00:14 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.5.2-r7
dev-util/cmake:      2.4.8
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.4.3-r1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ARCH="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -pipe"
CHOST="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLECTD_PLUGINS="battery cpu cpufreq disk exec filecount hddtemp netlink irq load memory network ntpd ping processes sensors swap tail tcpconns unixsock users wireless"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CVS_RSH="ssh"
CXXFLAGS="-O2 -march=pentium-m -pipe"
DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-gsoOB9Ewb2,guid=98e34b88989081b55099ea9549e9c90f"
DESKTOP="Enlightenment-0.17.0"
DESKTOP_STARTUP_ID="E_START|5"
DISPLAY=":0.0"
DISTDIR="/usr/portage/distfiles"
EDITOR="/usr/bin/vim"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--ask --verbose"
EMERGE_WARNING_DELAY="10"
E_CONF_PROFILE="default"
E_IPC_SOCKET="/tmp/enlightenment-bruno/disp-:0.0-2098"
E_RESTART="1"
E_SCALE="1.000"
E_START="enlightenment_start"
E_START_TIME="1240058128.1"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
GCC_SPECS=""
GDK_USE_XFT="1"
GENTOO_MIRRORS="ftp://ftp.home/Gentoo ftp://gentoo.inode.at/source"
HOME="/root"
HUSHLOGIN="FALSE"
HZ="100"
INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/info:/usr/share/gcc-data/i686-pc-linux-gnu/4.3.2/info"
INPUT_DEVICES="mouse evdev synaptics keyboard"
KERNEL="linux"
LANG="en_US.UTF-8"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LDFLAGS="-Wl,-O1"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LINGUAS="en"
LOGNAME="root"
LS_COLORS="no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:"
MAKEOPTS="-j2"
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/man:/usr/share/gcc-data/i686-pc-linux-gnu/4.3.2/man"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
OPENGL_PROFILE="xorg-x11"
PAGER="/usr/bin/less"
PANTS="ON"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.2"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc s390 amd64 x86 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha hppa amd64-fbsd sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_COUNTER_HASH="7b51ecf772689547e0d3305f74d0fbff"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="warn error log"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_NICENESS="5"
PORTAGE_PYM_PATH="/usr/lib/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/enlightenment /home/mirror/Gentoo/overlay"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PWD="/root"
RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.3.2"
RPMDIR="/usr/portage/rpm"
SHELL="/bin/bash"
SHLVL="3"
SSH_AGENT_PID="2090"
SSH_AUTH_SOCK="/tmp/ssh-YbaJSL2088/agent.2088"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
TERM="xterm"
USE="X acl acpi alsa branding bzip2 cairo caps cdr cracklib cups curl dbus dri dvd dvdread fam gif gpm gtk iconv idn ipv6 jpeg midi mmx mp3 mpeg ncurses nptl nptlonly ogg opengl pcre pdf png ppds quicktime readline samba scb sdl spell sse sse2 ssl svg syslog tiff truetype unicode usb vorbis wifi win32codecs x86 xattr xine xinerama xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="battery cpu cpufreq disk exec filecount hddtemp netlink irq load memory network ntpd ping processes sensors swap tail tcpconns unixsock users wireless" ELIBC="glibc" INPUT_DEVICES="mouse evdev synaptics keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="intel"
USER="root"
USERLAND="GNU"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS COLLECTD_PLUGINS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INITNG_PLUGINS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES USERLAND VIDEO_CARDS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
VIDEO_CARDS="intel"
WINDOWID="20971533"
XTERM_LOCALE="en_US.UTF-8"
XTERM_SHELL="/bin/bash"
XTERM_VERSION="XTerm(242)"
_="/usr/bin/emerge"
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-04-20 19:17:32 UTC
Please run

  FEATURES="-sandbox" emerge -1 sandbox

and report wether this fixed your problem. If yes, mark this bug as duplicate of bug #265895
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-04-22 21:51:17 UTC
Reopen this bug when you provide the requested information.
Comment 3 Bruno 2009-04-23 16:25:00 UTC
(In reply to comment #1)
> Please run
> 
>   FEATURES="-sandbox" emerge -1 sandbox
> 
> and report wether this fixed your problem. If yes, mark this bug as duplicate
> of bug #265895

Running
FEATURES="-sandbox" emerge -1 sandbox
(still shows the error message)
then
emerge --oneshot portage
and I still get the same error.

I also removed sandbox from FEATURES in /etc/make.conf, reemerged sandbox and portage, but when I readd sandbox to FEATURES the same error is back again.
Comment 4 SpanKY gentoo-dev 2009-04-24 05:09:28 UTC
make sure you dont have any stray libsandbox.so libs laying around in your system.  there should only be the one in /usr/lib/.

try running `sandbox` manually and then a few programs to see if you get the same error.
Comment 5 Bruno 2009-04-24 20:31:06 UTC
I tried to find out on which commands portage triggers the ERROR message.

To do this I added " -x" to first line of /usr/lib/portage/bin/ebuild.sh

This produced a lot of output including the following lines:
+ mv /var/tmp/portage/sys-apps/portage-2.1.6.7/temp/environment.filtered /var/tmp/portage/sys-apps/portage-2.1.6.7/temp/environment
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.

I tried to reproduce it manually by calling mv and also got the error:
me # sandbox mv dummy dummy1
sandbox mv dummy dummy1
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.

Running the same as root does not complain, running as user portage complains again.

So it looks like sandbox cannot be loaded properly as normal user for *some* commands but has no issues for others.

me # sandbox /bin/ls /
OK
me # sandbox /bin/mv --help
ERROR

Both ls and mv come from coreutils
Comment 6 Bruno 2009-04-24 20:34:54 UTC
I also scanned my system for files containing sandbox in their names and all I found (in /bin, /sbin, /lib, /usr) were:
/usr/bin/sandbox.orig
/usr/bin/sandbox
/usr/lib/libsandbox.la
/usr/lib/libsandbox.so
/usr/lib/python2.5/site-packages/setuptools/sandbox.py
/usr/lib/python2.5/site-packages/setuptools/sandbox.pyc
/usr/lib/python2.5/site-packages/setuptools/sandbox.pyo
/usr/share/cvs/contrib/sandbox_status
/usr/share/doc/sandbox-1.6-r2
/usr/share/sandbox
/usr/share/sandbox/sandbox.bashrc

So there is definitely no stale sandbox version hanging around.
Comment 7 SpanKY gentoo-dev 2009-04-26 14:53:26 UTC
/usr/bin/sandbox.orig obviously shouldnt exist

what does `file` show when run on ls and mv ?

what are the permissions on the libsandbox.so library ?
Comment 8 Bruno 2009-04-26 17:02:06 UTC
Created attachment 189528 [details]
/bin/ls, /bin/mv, /usr/lib/libsandbox.so

The sandbox.orig is me renaming /usr/bin/sandbox and putting a replacement shell wrapper calling the original instance after printing out the command line (was in order to determine callers of sandbox during emerge so I could catch failing apps more quickly)

I notice no real difference between mv and ls. In case you want to have a look at the binaries themselves, I attached /bin/ls, /bin/mv and /usr/lib/sandbox.so (in a tar archive).
strace on /bin/mv did not show anything useful either:

...
[pid 22917] open("/usr/lib/sse2/libsandbox.so", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 22917] stat64("/usr/lib/sse2", 0xbfdd6884) = -1 ENOENT (No such file or directory)
[pid 22917] open("/usr/lib/libsandbox.so", O_RDONLY) = 3
[pid 22917] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\33\0\0004\0\0\0\274"..., 512) = 512
[pid 22917] fstat64(3, {st_mode=S_IFREG|0755, st_size=50636, ...}) = 0
[pid 22917] close(3)                    = 0
[pid 22917] writev(2, [{"ERROR: ld.so: object '"..., 22}, {"libsandbox.so"..., 13}, {"' from "..., 7}, {"LD_PRELOAD"..., 10}, {" cannot be preloaded: ignored.\n"..., 31}], 5ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
) = 83


file /bin/mv 
/bin/mv: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped

file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), stripped

ls -l /usr/lib/libsandbox.so
-rwxr-xr-x 1 root root 50636 2009-04-23 18:19 /usr/lib/libsandbox.so
Comment 9 Bruno 2009-06-18 13:03:21 UTC
Ok, now I know what's the detail to cause this.
Here are the full steps (should work on any system with CONFIG_SECURITY_FILE_CAPABILITIES=y:

root# emerge sys-apps/coreutils
root# touch /tmp/dummy
rout# mv /tmp/dummy /tmp/dummy1
root# setcap "cap_setfcap=ie cap_chown=ie" /bin/mv
root# mv /tmp/dummy1 /tmp/dummy
root# setcap -r /bin/mv
root# mv /tmp/dummy /tmp/dummy1

Repeating the same as a normal user:
user# su
 root# emerge sys-apps/coreutils
 root# exit
user# touch /tmp/dummy
user# mv /tmp/dummy /tmp/dummy1
user# su
 root# setcap "cap_setfcap=ie cap_chown=ie" /bin/mv
 root# exit
user# mv /tmp/dummy1 /tmp/dummy
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
user# su
 root# setcap -r /bin/mv
 root# exit
user# mv /tmp/dummy /tmp/dummy1


So for some reason sandbox loading fails when file-capabilities are used to restrict what capabilities a process may get...
Comment 10 SpanKY gentoo-dev 2009-06-19 10:57:54 UTC
you set those file caps yourself right ?  i'm not aware of any ebuild doing this for you.

off the top of my head though, i dont know why it would make any difference at all
Comment 11 Bruno 2009-06-19 11:15:02 UTC
(In reply to comment #10)
> you set those file caps yourself right ?  i'm not aware of any ebuild doing
> this for you.
Exact, I played a bit with file caps. Don't know any ebuild that would handle file caps (there was a thread on gentoo-dev about file caps some time ago, but I have not heard of anything hitting the tree)

> off the top of my head though, i dont know why it would make any difference at
> all
Especially those flags I did set for mv should not have any affect for a system user (they should just reduce caps for root).
Comment 12 Michael Haubenwallner (RETIRED) gentoo-dev 2009-06-19 20:17:27 UTC
Not that I know how file capabilities work, so maybe of less help at all, but I just have seen this in Prefix on RHEL 5.2 (does not cause the merge to stop):

ACCESS DENIED  open_wr:   /selinux/context
Comment 13 SpanKY gentoo-dev 2009-06-19 21:52:28 UTC
i think dont think that is related in any way to this bug
Comment 14 Fab 2010-06-10 10:43:54 UTC
I hit this bug on a stable x86 system while trying to install games-rpg/nwn-data. The ebuild fall into an endless loop like this :

> >>> Unpacking source...
> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
> Please insert your first Neverwinter Nights CD/DVD into your drive and
> press any key to continue

> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
> Please insert your first Neverwinter Nights CD/DVD into your drive and
> press any key to continue
> ^C

I must hit ctrl+c to abort. I then read the nwn-data ebuild, and found that the CD_ROOT autodetection is broken for me because the mount command always return this error if executed into the sandbox without root privileges (FEATURES="userpriv").

> $ sandbox mount
> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.
> /dev/sda1 on / type ext4 (rw,noatime)

The workaround for me is simple : export CD_ROOT="/my/cd/path" before emerging nwn-data, but now I know that CD autodetection from ebuilds is broken for me.

sandbox-1.6-r2 installed.
Comment 15 Simon Gao 2010-06-17 18:42:23 UTC
I also run into this problem with a machine running X86_64 version.

Looks like libsandbox.so/la are installed into /usr/lib32 and /usr/lib64. 

My fix is creating symlinks from /usr/lib32/libsandbox.so/la to /usr/lib/libsandbox.so/la.

sys-apps/sandbox-1.6-r2 must has a bug at least for x86_64 version.

Simon
Comment 16 Simon Gao 2010-06-17 18:58:41 UTC
A better solution is to add /usr/lib32 and /usr/lib64 to /etc/ld.so.conf file.
Then run ldconfig.

Simon
Comment 17 SpanKY gentoo-dev 2010-08-15 05:53:08 UTC
that has nothing to do with this bug, nor do i know what you're talking about.  open a new bug for your issue with proper info & full logs.
Comment 18 SpanKY gentoo-dev 2010-11-23 01:33:42 UTC
thinking about it some more, i think this is expected behavior.  you're running with FEATURES=userpriv, and setting capabilities on a program have pretty much the same general practical implications of doing set*id on the binary.  since you're executing `mv` as non-root, glibc's ldso will ignore LD_PRELOAD for security protection (ignore symbol interposition, constructors, etc...).

in other words, i dont think there's any way this can be "fixed".