Re: macOS Sierra & System Integrity Protection

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> ... it turns out that System Integrity Protection
> feature *also* prevents DYLD_LIBRARY_PATH from being inherited by
> child processes in some manner.

Yeah, this was already known and documented on the lists a year or two
back. I suggest filing a bug report with Apple; if enough people bitch
about it, maybe they'll rethink. (I don't have much hope for that,
mind you, but they certainly won't change this without a boatload of
complaints.)

https://www.postgresql.org/message-id/26098.1446697005@sss.pgh.pa.us

> My main purpose in writing this email is to pass along what I learned
> in the hopes of sparing somebody else some trouble, but perhaps there
> is a way to modify our regression test setup so that the tests can
> pass with System Integrity Protection enabled.

Not really. If you want it to take libpq.dylib from the build tree,
rather than some already-installed location, there is no other option
but DYLD_LIBRARY_PATH.

The really annoying thing is that there's no particular security advantage
to be gained by not passing it through bash invocations. If they're not
resetting PATH in such cases, which they aren't, where the heck is the
incremental gain from resetting DYLD_LIBRARY_PATH? A bad guy in control
of the process environment has already won.

regards, tom lane