Re: RT linker, rpath and security

[tlaronde%polynum.com@localhost]

Le Thu, May 11, 2023 at 09:45:28AM +0200, Martin Husemann a écrit :
> On Thu, May 11, 2023 at 08:09:30AM +0200, tlaronde%polynum.com@localhost wrote:
> > Isn't it the way a run time linker uses rpath search path a security
> > risk?
> 
> IMHO it is not the job of the runtime linker to fix up stupid admin decisions.
> Our own builds do not produce any binaries that have dangerous RPATH entries
> inside our default setups.

Would you mind specifying what "admin decisions" you are referring to?

Because the problem happens at compilation time, during the link phase:
a spurious directory is added first in the registered ELF rpath.

The executable will be put in a "safe" dedicated place. The libraries
also. If paranoïd, verifying the code will show nothing nasty; using
ldd(1) will resolve the dependencies to the correct libraries.

Nonetheless, you have installed a trojan (whether intentional or 
resulting from a blunder in the compilation phase, or lazyness during
compilation phase---converting all -L directive occurring to a -Wl,-R).

Afterwards, a matching incorrect or even intentionally nasty library
will be put in this spurious dir and found first, because of the rpath.

Is the rpath verified, for example, when installing pkgsrc packages?

Does ELF have a variant that enforces specifying the "full" pathname of a
library to be loaded ("full" but only relative to sysroot if this is supported)?
-- 
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C