FS#14049 - [namcap] should check about insecure RPATH in ELF files.

Attached to Project: Arch Linux
Opened by Gerardo Exequiel Pozzi (djgera) - Tuesday, 31 March 2009, 23:08 GMT
Last edited by Dan McGee (toofishes) - Monday, 01 March 2010, 05:11 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Hugo Doria (hdoria)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description:
namcap should check about insecure RPATH/RUNPATH in ELF (executables, shared objects, dynamic loading modules, etc) files.

More info about why the importance of this are in  FS#13890  - Packaging creation and rpath issues

* RPATH and RUNPATH can be obtained with "readelf -d the-elf-file"
* RPATH can be a single path, or a list separated with a ":"

Insecure RPATHs are for example:
** In general insecure rpath are that are outside of /lib /usr/lib or (for example /opt/program/lib)
* [] an empty RPATH
* [:] a list of two empty RPATHs ([::], [:::], etc)
* [.] works like empty rpath
* [/home/xyz/x/y/z] a path that point to user directories (POC example  FS#13891  - [acl] A trivial fix RPATH issue)
* [/tmp] or [/build] or [/mnt] etc.
* [:/usr/lib] empty + good path, because lib will be located first in current directory
* [/usr/lib:] good path + bad, because if lib ins't in /usr/lib is searched in current directory

Also can warn about /usr/local/lib (some packages have this), because if user install libs here, these can be used (if exist) instead of the libs that packaged in /usr/lib.

Having a RPATH/RUNPATH is a bad idea, a least if program really need it.

Additional info:
namcap-2.2-2
For libs search order: "man ld.so", and info about especial vars in RPATH like $ORIGIN $PLATAFORM and $LIB.


Extract of uniques rpaths that are in ELF files from core/extra/community packages are attached.
   rpaths.core.extra.community.t... (11.6 KiB)
This task depends upon

Closed by  Dan McGee (toofishes)
Monday, 01 March 2010, 05:11 GMT
Reason for closing:  Fixed
Additional comments about closing:  namcap 2.5
Comment by Abhishek Dasgupta (abhidg) - Friday, 03 April 2009, 13:29 GMT
I've done some initial work here:
http://github.com/abhidg/namcap/commits/experimental

Note that the commit won't apply cleanly against the
master branch of namcap due to an error in the commit
"move to machine-parseable tags" which has been fixed
in the main master branch at projects.archlinux.org
but not in my github master branch (it gave an error
that the branch could not be fast forwarded).

Currently the allowed library paths are /usr/lib only.

Example output on subversion 1.6.0-2:
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Core/_Core.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Fs/_Fs.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Ra/_Ra.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Delta/_Delta.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Repos/_Repos.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Wc/_Wc.so
subversion E: insecure-rpath usr/lib/perl5/vendor_perl/auto/SVN/_Client/_Client.so
Comment by Allan McRae (Allan) - Friday, 10 April 2009, 03:28 GMT
Maybe we should downgrade this to a warning for everything with an RPATH set. It is probably best for the RPATH to be completely unset, and it is difficult to determine what a bad RPATH actually is. Otherwise, I think the patch looked good to me.
Comment by Abhishek Dasgupta (abhidg) - Sunday, 28 June 2009, 15:36 GMT
Right now, the code does not flag /usr/lib in the RPATH as
a warning/error. If it's decided that any RPATH should trigger
a warning, then I'll modify the code accordingly.
Comment by Gerardo Exequiel Pozzi (djgera) - Saturday, 01 August 2009, 20:37 GMT
  • Field changed: Percent Complete (100% → 50%)
namcap warns about rpaths that are correct, like /lib or /usr/lib/somepath/
Comment by Abhishek Dasgupta (abhidg) - Sunday, 02 August 2009, 04:09 GMT
Ah, the current code thinks that *anything* other than /usr/lib
is _bad_. I'll put /lib and /usr/lib/whatever in the whitelist.
Is /lib/whatever OK as well?
Comment by Abhishek Dasgupta (abhidg) - Sunday, 02 August 2009, 10:15 GMT
This patch should fix the problem. Now /usr/lib/* and /lib/* are good rpaths.
   0001-Fix-rpath-usr-lib-and-li... (1.3 KiB)
Comment by Gerardo Exequiel Pozzi (djgera) - Sunday, 02 August 2009, 18:23 GMT
Thanks Abhishek.

Also add for /opt/somepath (for example qt3 or kde3 uses it).
There are few cases that some elf uses relative path, when for example $ORIGIN or ${ORIGIN} is present, this paths also can be correct as in this example (openjdk6):
The executable "/usr/lib/jvm/java-1.6.0-openjdk/bin/appletviewer" have the RPATH "$ORIGIN/../lib/i386/jli:$ORIGIN/../jre/lib/i386/jli", then RPATH is resolved to /usr/lib/jvm/java-1.6.0-openjdk/lib/i386/jli and /usr/lib/jvm/java-1.6.0-openjdk/jre/lib/i386/jli


Also can appears others from apps that breaks FHS standards, for example: /usr/share/Amaya/lib (from community/amaya). Another example RPATH /usr/i686-pc-linux-gnu/arm-elf/lib from (community/cross-arm-elf-binutils) [But this will be also triggered by elffiles.py so don't worry about this]

Attached a list of all RPATH present in packages from core/extra/community.
   rpaths.txt (2.8 KiB)
Comment by Gerardo Exequiel Pozzi (djgera) - Sunday, 02 August 2009, 19:15 GMT
Will be useful if namcap also show what is the rpath, not only show the warning :)

About the list rpaths.txt, ignore these entries that are from ELF for other architectures (netbeans, webmin) that are always installed: "/lib:/opt/csw/gcc3/lib/$ISALIST:/opt/csw/lib/$ISALIST" and "/usr/lib/pa20_64:/opt/langtools/lib/pa20_64:"
Comment by Vesa Kaihlavirta (vegai) - Wednesday, 23 December 2009, 08:34 GMT
Haskell packages built with shared libs install into /usr/lib/<pkgname> which causes (pointless?) namcap errors.
Comment by Eric Belanger (Snowman) - Wednesday, 24 February 2010, 05:05 GMT
Same with perl:

net-snmp E: Insecure RPATH (usr/sbin/snmpd). If present, RPATH should be only /usr/lib.

$ readelf -d /usr/sbin/snmpd |grep RPATH
0x000000000000000f (RPATH) Library rpath: [/usr/lib/perl5/core_perl/CORE]

Loading...