Github messages for voidlinux
 help / color / mirror / Atom feed
* [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries
@ 2021-08-30 23:11 tornaria
  2021-08-30 23:17 ` ericonr
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: tornaria @ 2021-08-30 23:11 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]

New issue by tornaria on void-packages repository

https://github.com/void-linux/void-packages/issues/32769

Description:
I'm compling a library that will "leak" the install directories in rpaths. I mean `/destdir/*`.

I catched it just by chance, so I wonder if it would make sense to check for that and warn/error for bad rpaths like those.

Here's a quick hack. I put this in `common/hooks/post-install/07-pkglint-rpath.sh`. I'm not sure it belongs there or in `pre-pkg`, but seems to work ok there.

```bash
# check rpath
# see: https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh

hook() {
        find ${PKGDESTDIR} -type f | while read f; do
        read -n4 elfmagic < "$f"
        if [ "$elfmagic" = $'\177ELF' ]; then
                        for rpath in $($OBJDUMP -p "$f"|awk '/RPATH/{print $2}'); do
                                lf=${f#${PKGDESTDIR}}
                                case $rpath in
                                        /builddir/*|/destdir/*)
                                                msg_warn "invalid RPATH=$rpath in $lf\n"
                                                ;;
                                        *)
                                                msg_normal "RPATH=$rpath in $lf\n"
                                                ;;
                                esac
                        done
                fi
        done
}
```

Have a look at https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh for a stricter approach, namely:
 - allow only rpaths not starting with /lib, /usr/lib,  $ORIGIN, etc.
 - for those, check that the actual path exists in the package.
 - everything else: warn (could be error, maybe with some way to skip)

Maybe some explanation in the manual would also be helpful, and a suggestion on how to fix it if it can't be disabled in configure/make. What I did was add `chrpath` to `hostmakedepends`, and run `chrpath -d FILES` from `post_install()`.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] lint for invalid/insecure rpath in binaries and libraries
  2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
@ 2021-08-30 23:17 ` ericonr
  2022-06-04  2:09 ` github-actions
  2022-06-18  2:12 ` [ISSUE] [CLOSED] " github-actions
  2 siblings, 0 replies; 4+ messages in thread
From: ericonr @ 2021-08-30 23:17 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 387 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/32769#issuecomment-908772080

Comment:
> for those, check that the actual path exists in the package.

Not sure this one would work, since you could have `rpath` to the path in a dependency.

> allow only rpaths not starting with /lib, /usr/lib, $ORIGIN, etc.

I like this one!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] lint for invalid/insecure rpath in binaries and libraries
  2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
  2021-08-30 23:17 ` ericonr
@ 2022-06-04  2:09 ` github-actions
  2022-06-18  2:12 ` [ISSUE] [CLOSED] " github-actions
  2 siblings, 0 replies; 4+ messages in thread
From: github-actions @ 2022-06-04  2:09 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/32769#issuecomment-1146498571

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [ISSUE] [CLOSED] [RFC] lint for invalid/insecure rpath in binaries and libraries
  2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
  2021-08-30 23:17 ` ericonr
  2022-06-04  2:09 ` github-actions
@ 2022-06-18  2:12 ` github-actions
  2 siblings, 0 replies; 4+ messages in thread
From: github-actions @ 2022-06-18  2:12 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 2022 bytes --]

Closed issue by tornaria on void-packages repository

https://github.com/void-linux/void-packages/issues/32769

Description:
I'm compling a library that will "leak" the install directories in rpaths. I mean `/destdir/*`.

I catched it just by chance, so I wonder if it would make sense to check for that and warn/error for bad rpaths like those.

Here's a quick hack. I put this in `common/hooks/post-install/07-pkglint-rpath.sh`. I'm not sure it belongs there or in `pre-pkg`, but seems to work ok there.

```bash
# check rpath
# see: https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh

hook() {
        find ${PKGDESTDIR} -type f | while read f; do
        read -n4 elfmagic < "$f"
        if [ "$elfmagic" = $'\177ELF' ]; then
                        for rpath in $($OBJDUMP -p "$f"|awk '/RPATH/{print $2}'); do
                                lf=${f#${PKGDESTDIR}}
                                case $rpath in
                                        /builddir/*|/destdir/*)
                                                msg_warn "invalid RPATH=$rpath in $lf\n"
                                                ;;
                                        *)
                                                msg_normal "RPATH=$rpath in $lf\n"
                                                ;;
                                esac
                        done
                fi
        done
}
```

Have a look at https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh for a stricter approach, namely:
 - allow only rpaths not starting with /lib, /usr/lib,  $ORIGIN, etc.
 - for those, check that the actual path exists in the package.
 - everything else: warn (could be error, maybe with some way to skip)

Maybe some explanation in the manual would also be helpful, and a suggestion on how to fix it if it can't be disabled in configure/make. What I did was add `chrpath` to `hostmakedepends`, and run `chrpath -d FILES` from `post_install()`.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-06-18  2:12 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
2021-08-30 23:17 ` ericonr
2022-06-04  2:09 ` github-actions
2022-06-18  2:12 ` [ISSUE] [CLOSED] " github-actions

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).