Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH

To: Martin Carpenter <mcarpenter@free.fr>
Cc: 773557@bugs.debian.org
Subject: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
From: Jonathan Nieder <jrnieder@gmail.com>
Date: Fri, 19 Dec 2014 14:56:53 -0800
Message-id: <[🔎] 20141219225653.GR29365@google.com>
Reply-to: Jonathan Nieder <jrnieder@gmail.com>, 773557@bugs.debian.org
In-reply-to: <[🔎] 20141219224949.8179.59578.reportbug@juliet.mcarpenter.org>
References: <[🔎] 20141219224949.8179.59578.reportbug@juliet.mcarpenter.org>

Hi,

Martin Carpenter wrote:

>> 8.7 RUNPATH and RPATH
>>
>> Libraries and executables should not define RPATH or RUNPATH unless
>> absolutely necessary.

This part seems vague to me --- if a project relies on RUNPATH but could
be modified to avoid relying on it, is today's use of RUNPATH absolutely
necessary?  It's hard enough to act on this recommendation that I don't
think it belongs in policy yet.

>> Those that do should ensure that relative paths or paths that traverse
>> insecure directories (eg /tmp or /var/tmp) are not included. This
>> is to prevent an executable from loading a library from an untrusted
>> location.

This part looks good.

>>            (This should include the corner cases whereby the path list
>> starts or ends with a colon, or includes two consecutive colons).

Nit: s/This should include/This include/

Thanks and hope that helps,
Jonathan

Reply to:

Follow-Ups:
- Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
  - From: Martin Carpenter <mcarpenter@free.fr>

Prev by Date: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
Next by Date: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
Previous by thread: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
Next by thread: Bug#773557: debian-policy: Avoid unsafe RPATH/RUNPATH
Index(es):
- Date
- Thread