* [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries
@ 2021-08-30 23:11 tornaria
2021-08-30 23:17 ` ericonr
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: tornaria @ 2021-08-30 23:11 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]
New issue by tornaria on void-packages repository
https://github.com/void-linux/void-packages/issues/32769
Description:
I'm compling a library that will "leak" the install directories in rpaths. I mean `/destdir/*`.
I catched it just by chance, so I wonder if it would make sense to check for that and warn/error for bad rpaths like those.
Here's a quick hack. I put this in `common/hooks/post-install/07-pkglint-rpath.sh`. I'm not sure it belongs there or in `pre-pkg`, but seems to work ok there.
```bash
# check rpath
# see: https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh
hook() {
find ${PKGDESTDIR} -type f | while read f; do
read -n4 elfmagic < "$f"
if [ "$elfmagic" = $'\177ELF' ]; then
for rpath in $($OBJDUMP -p "$f"|awk '/RPATH/{print $2}'); do
lf=${f#${PKGDESTDIR}}
case $rpath in
/builddir/*|/destdir/*)
msg_warn "invalid RPATH=$rpath in $lf\n"
;;
*)
msg_normal "RPATH=$rpath in $lf\n"
;;
esac
done
fi
done
}
```
Have a look at https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh for a stricter approach, namely:
- allow only rpaths not starting with /lib, /usr/lib, $ORIGIN, etc.
- for those, check that the actual path exists in the package.
- everything else: warn (could be error, maybe with some way to skip)
Maybe some explanation in the manual would also be helpful, and a suggestion on how to fix it if it can't be disabled in configure/make. What I did was add `chrpath` to `hostmakedepends`, and run `chrpath -d FILES` from `post_install()`.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] lint for invalid/insecure rpath in binaries and libraries
2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
@ 2021-08-30 23:17 ` ericonr
2022-06-04 2:09 ` github-actions
2022-06-18 2:12 ` [ISSUE] [CLOSED] " github-actions
2 siblings, 0 replies; 4+ messages in thread
From: ericonr @ 2021-08-30 23:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 387 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/issues/32769#issuecomment-908772080
Comment:
> for those, check that the actual path exists in the package.
Not sure this one would work, since you could have `rpath` to the path in a dependency.
> allow only rpaths not starting with /lib, /usr/lib, $ORIGIN, etc.
I like this one!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] lint for invalid/insecure rpath in binaries and libraries
2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
2021-08-30 23:17 ` ericonr
@ 2022-06-04 2:09 ` github-actions
2022-06-18 2:12 ` [ISSUE] [CLOSED] " github-actions
2 siblings, 0 replies; 4+ messages in thread
From: github-actions @ 2022-06-04 2:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 293 bytes --]
New comment by github-actions[bot] on void-packages repository
https://github.com/void-linux/void-packages/issues/32769#issuecomment-1146498571
Comment:
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ISSUE] [CLOSED] [RFC] lint for invalid/insecure rpath in binaries and libraries
2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
2021-08-30 23:17 ` ericonr
2022-06-04 2:09 ` github-actions
@ 2022-06-18 2:12 ` github-actions
2 siblings, 0 replies; 4+ messages in thread
From: github-actions @ 2022-06-18 2:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2022 bytes --]
Closed issue by tornaria on void-packages repository
https://github.com/void-linux/void-packages/issues/32769
Description:
I'm compling a library that will "leak" the install directories in rpaths. I mean `/destdir/*`.
I catched it just by chance, so I wonder if it would make sense to check for that and warn/error for bad rpaths like those.
Here's a quick hack. I put this in `common/hooks/post-install/07-pkglint-rpath.sh`. I'm not sure it belongs there or in `pre-pkg`, but seems to work ok there.
```bash
# check rpath
# see: https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh
hook() {
find ${PKGDESTDIR} -type f | while read f; do
read -n4 elfmagic < "$f"
if [ "$elfmagic" = $'\177ELF' ]; then
for rpath in $($OBJDUMP -p "$f"|awk '/RPATH/{print $2}'); do
lf=${f#${PKGDESTDIR}}
case $rpath in
/builddir/*|/destdir/*)
msg_warn "invalid RPATH=$rpath in $lf\n"
;;
*)
msg_normal "RPATH=$rpath in $lf\n"
;;
esac
done
fi
done
}
```
Have a look at https://github.com/allanmcrae/pkglint/blob/master/lint_package/rpath.sh for a stricter approach, namely:
- allow only rpaths not starting with /lib, /usr/lib, $ORIGIN, etc.
- for those, check that the actual path exists in the package.
- everything else: warn (could be error, maybe with some way to skip)
Maybe some explanation in the manual would also be helpful, and a suggestion on how to fix it if it can't be disabled in configure/make. What I did was add `chrpath` to `hostmakedepends`, and run `chrpath -d FILES` from `post_install()`.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-18 2:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-30 23:11 [ISSUE] [RFC] lint for invalid/insecure rpath in binaries and libraries tornaria
2021-08-30 23:17 ` ericonr
2022-06-04 2:09 ` github-actions
2022-06-18 2:12 ` [ISSUE] [CLOSED] " github-actions
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).