1.\" Copyright (c) 1995 Paul Kranenburg 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgment: 14.\" This product includes software developed by Paul Kranenburg. 15.\" 3. The name of the author may not be used to endorse or promote products 16.\" derived from this software without specific prior written permission 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd July 24, 2024 30.Dt RTLD 1 31.Os 32.Sh NAME 33.Nm ld-elf.so.1 , 34.Nm ld.so , 35.Nm rtld 36.Nd run-time link-editor 37.Sh DESCRIPTION 38The 39.Nm 40utility is a self-contained shared object providing run-time 41support for loading and link-editing shared objects into a process' 42address space. 43It is also commonly known as the dynamic linker. 44It uses the data structures 45contained within dynamically linked programs to determine which shared 46libraries are needed and loads them using the 47.Xr mmap 2 48system call. 49.Pp 50After all shared libraries have been successfully loaded, 51.Nm 52proceeds to resolve external references from both the main program and 53all objects loaded. 54A mechanism is provided for initialization routines 55to be called on a per-object basis, giving a shared object an opportunity 56to perform any extra set-up before execution of the program proper begins. 57This is useful for C++ libraries that contain static constructors. 58.Pp 59When resolving dependencies for the loaded objects, 60.Nm 61translates dynamic token strings in rpath and soname. 62If the 63.Fl "z origin" 64option of the static linker was set when linking the binary, 65the token expansion is performed at the object load time, see 66.Xr ld 1 . 67The following strings are recognized now: 68.Bl -tag -width ".Pa $PLATFORM" 69.It Pa $ORIGIN 70Translated to the full path of the loaded object. 71.It Pa $OSNAME 72Translated to the name of the operating system implementation. 73.It Pa $OSREL 74Translated to the release level of the operating system. 75.It Pa $PLATFORM 76Translated to the machine hardware platform. 77.It Pa $LIB 78Translated to the system library path component on the platform. 79It is 80.Pa lib 81for native binaries, and typically 82.Pa lib32 83for compat32 binaries. 84Other translations might exist for other ABIs supported on the platform. 85.El 86.Pp 87The 88.Nm 89utility itself is loaded by the kernel together with any dynamically-linked 90program that is to be executed. 91The kernel transfers control to the 92dynamic linker. 93After the dynamic linker has finished loading, 94relocating, and initializing the program and its required shared 95objects, it transfers control to the entry point of the program. 96The following search order is used to locate required shared objects: 97.Pp 98.Bl -enum -offset indent -compact 99.It 100.Dv DT_RPATH 101of the referencing object unless that object also contains a 102.Dv DT_RUNPATH 103tag 104.It 105.Dv DT_RPATH 106of the program unless the referencing object contains a 107.Dv DT_RUNPATH 108tag 109.It 110Path indicated by 111.Ev LD_LIBRARY_PATH 112environment variable 113.It 114.Dv DT_RUNPATH 115of the referencing object 116.It 117Hints file produced by the 118.Xr ldconfig 8 119utility 120.It 121The 122.Pa /lib 123and 124.Pa /usr/lib 125directories, unless the referencing object was linked using the 126.Dq Fl z Ar nodefaultlib 127option 128.El 129.Pp 130The 131.Nm 132utility 133recognizes a number of environment variables that can be used to modify 134its behaviour. 135On 64-bit architectures, the linker for 32-bit objects recognizes 136all the environment variables listed below, but is being prefixed with 137.Ev LD_32_ , 138for example: 139.Ev LD_32_TRACE_LOADED_OBJECTS . 140If the activated image is setuid or setgid, the variables are ignored. 141.Bl -tag -width ".Ev LD_LIBMAP_DISABLE" 142.It Ev LD_DUMP_REL_POST 143If set, 144.Nm 145will print a table containing all relocations after symbol 146binding and relocation. 147.It Ev LD_DUMP_REL_PRE 148If set, 149.Nm 150will print a table containing all relocations before symbol 151binding and relocation. 152.It Ev LD_DYNAMIC_WEAK 153If set, use the ELF standard-compliant symbol lookup behavior: 154resolve to the first found symbol definition. 155.Pp 156By default, 157.Fx 158provides the non-standard symbol lookup behavior: 159when a weak symbol definition is found, remember the definition and 160keep searching in the remaining shared objects for a non-weak definition. 161If found, the non-weak definition is preferred, otherwise the remembered 162weak definition is returned. 163.Pp 164Symbols exported by dynamic linker itself (see 165.Xr dlfcn 3 ) 166are always resolved using 167.Fx 168rules regardless of the presence of the variable. 169This variable is unset for set-user-ID and set-group-ID programs. 170.It Ev LD_LIBMAP 171A library replacement list in the same format as 172.Xr libmap.conf 5 . 173For convenience, the characters 174.Ql = 175and 176.Ql \&, 177can be used instead of a space and a newline. 178This variable is parsed after 179.Xr libmap.conf 5 , 180and will override its entries. 181This variable is unset for set-user-ID and set-group-ID programs. 182.It Ev LD_LIBMAP_DISABLE 183If set, disables the use of 184.Xr libmap.conf 5 185and 186.Ev LD_LIBMAP . 187This variable is unset for set-user-ID and set-group-ID programs. 188.It Ev LD_ELF_HINTS_PATH 189This variable will override the default location of 190.Dq hints 191file. 192This variable is unset for set-user-ID and set-group-ID programs. 193.It Ev LD_LIBRARY_PATH 194A colon separated list of directories, overriding the default search path 195for shared libraries. 196This variable is unset for set-user-ID and set-group-ID programs. 197.It Ev LD_LIBRARY_PATH_RPATH 198If the variable is specified and has a value starting with 199any of \'y\', \'Y\' or \'1\' symbols, the path specified by 200.Ev LD_LIBRARY_PATH 201variable is allowed to override the path from 202.Dv DT_RPATH 203for binaries which does not contain 204.Dv DT_RUNPATH 205tag. 206For such binaries, when the variable 207.Ev LD_LIBRARY_PATH_RPATH 208is set, 209.Dq Fl z Ar nodefaultlib 210link-time option is ignored as well. 211.It Ev LD_PRELOAD 212A list of shared libraries, separated by colons and/or white space, 213to be linked in before any 214other shared libraries. 215If the directory is not specified then 216the directories specified by 217.Ev LD_LIBRARY_PATH 218will be searched first 219followed by the set of built-in standard directories. 220This variable is unset for set-user-ID and set-group-ID programs. 221.It Ev LD_PRELOAD_FDS 222A colon separated list of file descriptor numbers for libraries. 223This is intended for preloading libraries in which we already have a file 224descriptor. 225This may optimize the process of loading libraries because we do not have to 226look for them in directories. 227It may also be useful in a capability base system where we do not have access to 228global namespaces such as the filesystem. 229.It Ev LD_LIBRARY_PATH_FDS 230A colon separated list of file descriptor numbers for library directories. 231This is intended for use within 232.Xr capsicum 4 233sandboxes, when global namespaces such as the filesystem are unavailable. 234It is consulted just after LD_LIBRARY_PATH. 235This variable is unset for set-user-ID and set-group-ID programs. 236.It Ev LD_BIND_NOT 237When set to a nonempty string, prevents modifications of the PLT slots when 238doing bindings. 239As result, each call of the PLT-resolved function is resolved. 240In combination with debug output, this provides complete account of 241all bind actions at runtime. 242This variable is unset for set-user-ID and set-group-ID programs. 243.It Ev LD_BIND_NOW 244When set to a nonempty string, causes 245.Nm 246to relocate all external function calls before starting execution of the 247program. 248Normally, function calls are bound lazily, at the first call 249of each function. 250.Ev LD_BIND_NOW 251increases the start-up time of a program, but it avoids run-time 252surprises caused by unexpectedly undefined functions. 253.It Ev LD_TRACE_LOADED_OBJECTS 254When set to a nonempty string, causes 255.Nm 256to exit after loading the shared objects and printing a summary which includes 257the absolute pathnames of all objects, to standard output. 258.It Ev LD_TRACE_LOADED_OBJECTS_ALL 259When set to a nonempty string, causes 260.Nm 261to expand the summary to indicate which objects caused each object to 262be loaded. 263.It Ev LD_TRACE_LOADED_OBJECTS_FMT1 264.It Ev LD_TRACE_LOADED_OBJECTS_FMT2 265When set, these variables are interpreted as format strings a la 266.Xr printf 3 267to customize the trace output and are used by 268.Xr ldd 1 Ns 's 269.Fl f 270option and allows 271.Xr ldd 1 272to be operated as a filter more conveniently. 273If the dependency name starts with string 274.Pa lib , 275.Ev LD_TRACE_LOADED_OBJECTS_FMT1 276is used, otherwise 277.Ev LD_TRACE_LOADED_OBJECTS_FMT2 278is used. 279The following conversions can be used: 280.Bl -tag -width 4n 281.It Li %a 282The main program's name 283(also known as 284.Dq __progname ) . 285.It Li \&%A 286The value of the environment variable 287.Ev LD_TRACE_LOADED_OBJECTS_PROGNAME . 288Typically used to print both the names of programs and shared libraries 289being inspected using 290.Xr ldd 1 . 291.It Li %o 292The library name. 293.It Li %p 294The full pathname as determined by 295.Nm rtld Ns 's 296library search rules. 297.It Li %x 298The library's load address. 299.El 300.Pp 301Additionally, 302.Ql \en 303and 304.Ql \et 305are recognized and have their usual meaning. 306.It Ev LD_UTRACE 307If set, 308.Nm 309will log events such as the loading and unloading of shared objects via 310.Xr utrace 2 . 311.It Ev LD_LOADFLTR 312If set, 313.Nm 314will process the filtee dependencies of the loaded objects immediately, 315instead of postponing it until required. 316Normally, the filtees are opened at the time of the first symbol resolution 317from the filter object. 318.It Ev LD_SHOW_AUXV 319If set, causes 320.Nm 321to dump content of the aux vector to standard output, before passing 322control to any user code. 323.It Ev LD_STATIC_TLS_EXTRA 324If the variable is specified and has a numeric value, 325.Nm 326will set the size of the static TLS extra space to the specified number 327of bytes. 328The static TLS extra space is used when loading objects compiled for 329initial-exec TLS code model with 330.Xr dlopen 3 . 331The minimum value that can be specified is \'128\'. 332.It Ev LD_NO_DL_ITERATE_PHDR_AFTER_FORK 333Allow 334.Xr dl_iterate_phdr 3 335to block in callback, without causing deadlock with the 336.Xr fork 2 . 337The drawback is that the image started in this mode cannot use 338.Xr dl_iterate_phdr 3 339after fork. 340.El 341.Sh DIRECT EXECUTION MODE 342.Nm 343is typically used implicitly, loaded by the kernel as requested by the 344.Dv PT_INTERP 345program header of the executed binary. 346.Fx 347also supports a direct execution mode for the dynamic linker. 348In this mode, the user explicitly executes 349.Nm 350and provides the path of the program to be linked and executed as 351an argument. 352This mode allows use of a non-standard dynamic linker for a program 353activation without changing the binary or without changing 354the installed dynamic linker. 355Execution options may be specified. 356.Pp 357The syntax of the direct invocation is 358.Bd -ragged -offset indent 359.Pa /libexec/ld-elf.so.1 360.Op Fl b Ar exe 361.Op Fl d 362.Op Fl f Ar fd 363.Op Fl o Ar OPT=VALUE 364.Op Fl p 365.Op Fl u 366.Op Fl v 367.Op Fl - 368.Pa image_path 369.Op Ar image arguments 370.Ed 371.Pp 372The options are: 373.Bl -tag -width indent 374.It Fl b Ar exe 375Use the executable 376.Fa exe 377instead of 378.Fa image_path 379for activation. 380If this option is specified, 381.Ar image_path 382is only used to provide the 383.Va argv[0] 384value to the program. 385.It Fl d 386Turn off the emulation of the binary execute permission. 387.It Fl f Ar fd 388File descriptor 389.Ar fd 390references the binary to be activated by 391.Nm . 392It must already be opened in the process when executing 393.Nm . 394If this option is specified, 395.Ar image_path 396is only used to provide the 397.Va argv[0] 398value to the program. 399.It Fl o Ar OPT=VALUE 400Set the 401.Ar OPT 402configuration variable to the value 403.Ar VALUE . 404The possible variable names are listed above as 405.Ev LD_ 406prefixed environment variables, but here are referenced without the 407.Ev LD_ 408prefix. 409A configuration variable set this way does not leak into 410the activated image's environment. 411.Pp 412The option can be repeated as many times as needed to set 413all configuration parameters. 414The parameters set using this option have priority over 415the same parameters assigned via environment. 416.It Fl p 417If the 418.Pa image_path 419argument specifies a name which does not contain a slash 420.Dq Li / 421character, 422.Nm 423uses the search path provided by the environment variable 424.Dv PATH 425to find the binary to execute. 426.It Fl u 427Ignore all 428.Ev LD_ 429environment variables and previous command line 430.Fl o 431options that otherwise affect the dynamic 432linker behavior. 433.It Fl v 434Display information about this run-time linker binary, then exit. 435.It Fl - 436Ends the 437.Nm 438options. 439The argument following 440.Fl - 441is interpreted as the path of the binary to execute. 442.El 443.Pp 444In the direct execution mode, 445.Nm 446emulates verification of the binary execute permission for the 447current user. 448This is done to avoid breaking user expectations in naively restricted 449execution environments. 450The verification only uses Unix 451.Dv DACs , 452ignores 453.Dv ACLs , 454and is naturally prone to race conditions. 455Environments which rely on such restrictions are weak 456and breakable on their own. 457It can be turned off with the 458.Fl d 459option. 460.Sh VERSIONING 461Newer 462.Nm 463might provide some features or changes in runtime behavior that cannot be 464easily detected at runtime by checking of the normal exported symbols. 465Note that it is almost always wrong to verify 466.Dv __FreeBSD_version 467in userspace to detect features, either at compile or at run time, 468because either kernel, or libc, or environment variables could not 469match the running 470.Nm . 471.Pp 472To solve the problem, 473.Nm 474exports some feature indicators in the 475.Fx 476private symbols namespace 477.Dv FBSDprivate_1.0 . 478Symbols start with the 479.Dv _rtld_version 480prefix. 481Current list of defined symbols and corresponding features is: 482.Bl -tag -width indent 483.It Dv _rtld_version__FreeBSD_version 484Symbol exports the value of the 485.Dv __FreeBSD_version 486definition as it was provided during the 487.Nm 488build. 489The symbol is always present since the 490.Dv _rtld_version 491facility was introduced. 492.It Dv _rtld_version_laddr_offset 493The 494.Va l_addr 495member of the 496.Vt link_map 497structure contains the load offset of the shared object. 498Before that, 499.Va l_addr 500contained the base address of the library. 501See 502.Xr dlinfo 3 . 503.Pp 504Also it indicates the presence of 505.Va l_refname 506member of the structure. 507.It Dv _rtld_version_dlpi_tls_data 508The 509.Va dlpi_tls_data 510member of the structure 511.Vt dl_phdr_info 512contains the address of the module TLS segment for the calling thread, 513and not the address of the initialization segment. 514.El 515.Sh FILES 516.Bl -tag -width ".Pa /var/run/ld-elf32.so.hints" -compact 517.It Pa /var/run/ld-elf.so.hints 518Hints file. 519.It Pa /var/run/ld-elf32.so.hints 520Hints file for 32-bit binaries on 64-bit system. 521.It Pa /etc/libmap.conf 522The libmap configuration file. 523.It Pa /etc/libmap32.conf 524The libmap configuration file for 32-bit binaries on 64-bit system. 525.El 526.Sh SEE ALSO 527.Xr ld 1 , 528.Xr ldd 1 , 529.Xr dlinfo 3 , 530.Xr capsicum 4 , 531.Xr elf 5 , 532.Xr libmap.conf 5 , 533.Xr ldconfig 8 534