From Fedora Project Wiki
Line 52: Line 52:
(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults
(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults


This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues. And it's the same issue as adding /usr/lib64 to LD_LIBRARY_PATH.
This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues (In a similar manner as as adding /usr/lib64 to LD_LIBRARY_PATH).


Another aspect of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory where some malicious actor has write permission to, malicious code execution can happen.
Another aspect of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory where some malicious actor has write permission to, malicious code execution can happen.

Revision as of 15:02, 3 May 2021


Change Proposal Name

Enable RPATH detection during rpmbuild.

Summary

Enable RPATH detection during rpmbuild. This will make the build fail in the case a hard-coded RPATH was detected within a binary or a shared library file.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-05-03
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The dynamic linker and loader (ld.so) is responsible for resolving runtime dependencies of executables and shared library files through a search hierarchy. However some packages (usually through their upstream buildsystems) contain a hard-coded path within their binaries or .so files, by using the -R or -rpath flag during compilation, which is referred to as RPATH. By utilizing RPATH, ELF files can point to directories to be included in the search path, on runtime, to resolve their dependencies.

While RPATH can be used for non-standard directories, such as a place containing private libraries of the project, when it points to a value already provided by the search path of ld.so it changes the hierarchy of the search, by placing the system defaults first.

(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults

This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues (In a similar manner as as adding /usr/lib64 to LD_LIBRARY_PATH).

Another aspect of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory where some malicious actor has write permission to, malicious code execution can happen.

Performance is also affected, since probing explicitly e.g. /usr/lib64 through RPATH adds extra open/openat system calls to the process startup.

In Fedora the use of RPATH is forbidden, but it was never enforced. This change intends to ratify that by running check-rpaths during rpmbuild and fail the build if an RPATH entry was detected.

Feedback

The change has been proposed a long time ago through FPC [0] and the general consensus is that it needs to be done, along with an overhaul of the Fedora documentation in regards to RPATH.

An email was also sent on Fedora devel regarding this change [1].

There have been multiple requests in the past to enable that check as well. [2]

[0] https://pagure.io/packaging-committee/issue/886 [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7ZKGVM4XJ7QFRFZXTSGUT4K2MPDVV2XY/#W7LXPX4SIB57DDXXI4PQNKCFSOQMOL4S [2] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/WD6JWMDIORBYNL4C5UHOJQGDR3N7HZY3/#LB63Q2HSLPWRMR7UQVQOYVVTG346TDRZ [3] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/A5X7ENAITWTVZASJBLCXS5MXQ7BE2RS6/#A5X7ENAITWTVZASJBLCXS5MXQ7BE2RS6 [4] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YJUWD2K32CZAGCDYOAJH2ISA2WF5AMGW/#ORK6J2T4PEYDCNA44HLEONFTXI2A6TFC [5] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2GITTEQ7SC5T656AXQ3OHKDG4SLINXB6/#NT3W4PYENFF3FPWDOTJ2UNOGVLZA4DHV

Benefit to Fedora

Improved performance, security, compliance with the guidelines, reducing of RPATH related bugs.


Scope

  • Proposal owners:

Merge the PR to redhat-rpm-config [PR link] to enable running of the check-rpaths script after %install.

  • Other developers:

Fix the affected packages List of packages

audiofile binutils esc ettercap freeradius fortune-mod fcl eb conky-manager condor community-mysql czmq cfitsio compat-guile18 glib2 gnokii koffice-kivio kicad jq komparator k3guitune laszip levmar hdf gpick kdepim3 gpgme Io-language kdegames3 gupnp-dlna kdebase3 libcommuni lutok libburn libminc libisoburn liboping librfid mingw-qt5-qtdeclarative libkkc openjade libdxfrw libosip2 libeXosip2 NLopt libprelude mingw-qt5-qt3d mod_wsgi libXcm ncview libdkimpp mingw-qt5-qttools mcpp mingw-qt5-qtbase mongo-c-driver nightview openscap plotmm pam_yubico perl-SDL pinentry pam_mount rb_libtorrent rrdtool rarian qwtpolar qucs scipy tracker SDL_image sofia-sip scap-workbench woff2 xeus yaz stp suitesparse sqlite2 vanessa_logger xbsql tracker-miners WindowMaker xmms sylfilter verbiste zvbi xdotool texlive-base zinnia

  • Policies and guidelines: N/A (not needed for this Change)

Guidelines need to change, link to PR

  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

Copr repo Local changes


User Experience

Packagers will have

Dependencies

Merge the PR to redhat-rpm-config

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Revert the change

Documentation

N/A (not a System Wide Change)

Release Notes