Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
Hi,
Martin Carpenter wrote:
>> 8.7 RUNPATH and RPATH
>>
>> Libraries and executables should not define RPATH or RUNPATH unless
>> absolutely necessary.
This part seems vague to me --- if a project relies on RUNPATH but could
be modified to avoid relying on it, is today's use of RUNPATH absolutely
necessary? It's hard enough to act on this recommendation that I don't
think it belongs in policy yet.
>> Those that do should ensure that relative paths or paths that traverse
>> insecure directories (eg /tmp or /var/tmp) are not included. This
>> is to prevent an executable from loading a library from an untrusted
>> location.
This part looks good.
>> (This should include the corner cases whereby the path list
>> starts or ends with a colon, or includes two consecutive colons).
Nit: s/This should include/This include/
Thanks and hope that helps,
Jonathan
Reply to: