Variables LD_LIBRARY_PATH / DYLD_LIBRARY_PATH are ignored on MAC OS if System Integrity Protect (SIP) is enable

Source: Variables LD_LIBRARY_PATH / DYLD_LIBRARY_PATH are ignored on MAC OS if System Integrity Protect (SIP) is enable

Publish Date: Dec 22, 2017

Resolution

SYMPTOM

You configure environment variables LD_LIBRARY_PATH or DYLD_LIBRARY_PATH including path to custom libraries and the libraries are not loaded, JVM report exception java.lang.UnsatisfiedLinkError :

java.lang.UnsatisfiedLinkError: no dbjdbc16 in java.library.path

You can verify this behavior executing (with root or not root user) from terminal:

Check current values for LD_LIBRARY_PATH or DYLD_LIBRARY_PATH with echo and env command:

$> env | grep LD_LIBRARY_PATH 
$>    << empty >> 
$> echo $LD_LIBRARY_PATH
$>    << empty >>
$> echo $DYLD_LIBRARY_PATH
$>    << empty >>

Check environment variables with java (see attached code)

Compile LDVars.java and execute:

$> java LDVars
LD_LIBRARY_PATH  =null
DYLD_LIBRARY_PATH=null

Export variables, appending “/tmp“

$> export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/tmp
$> export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:/tmp

Check variables again

$> env | grep LD_LIBRARY_PATH
$>    << empty >> 

$> echo $LD_LIBRARY_PATH
$> :/tmp  << Include /tmp >>
$> echo $DYLD_LIBRARY_PATH
$> :/tmp  << Include /tmp >>

$> cd /tmp
$> java LDVars
LD_LIBRARY_PATH =null 
DYLD_LIBRARY_PATH=null

Despite “echo” command show the variable set, the variable is not set and native libraries from /tmp will not be loaded.

CAUSE

MAC OS System Integrity Protect (SIP) doesn’t allow to set environment variables LD_LIBRARY_PATH and/or DYLD_LIBRARY_PATH (DYLD_LIBRARY_PATH is MAC specific).

SOLUTION

Disable SIP.

Follow these steps to disable:

Restart your Mac.
Before OS X starts up, hold down Command-R and keep it held down until you see an Apple icon and a progress bar. Release. This boots you into Recovery.
From the Utilities menu, select Terminal.
At the prompt type exactly the following and then press Return: csrutil disable
Terminal should display a message that SIP was disabled.
From the  menu, select Restart.

You can re-enable SIP by following the above steps, but using “csrutil enable” instead.

REFERENCES

About System Integrity Protection on your Mac https://support.apple.com/en-us/HT204899
Runtime Protections https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html#//apple_ref/doc/uid/TP40016462-CH3-SW1
Configuring System Integrity Protection https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html

Disclaimer: this is provided as a reference for your own usage and it’s not part of the official Mule product so its use will be considered as a custom implementation made by the customer.

Attachments

LDVars.java

Knowledge Article Number

001118103