[Ecls-list] ECL build issues
Dr. David Kirkby
david.kirkby at onetel.net
Mon Aug 3 23:06:17 UTC 2009
Waldek Hebisch wrote:
> Setting LD_LIBRARY_PATH used to be not necessary. But some time
> ago ECL was modified at request of security folks. Namely, to
> automatically find its shared library ECL used 'rpath' feature.
> This feature is considered dangerous by security folks -- using
> 'rpath' means that ECL will search for its library in a set
> of directories specified at build time. If ECL binary is is later
> installed on other machine it may happen that an adversary has
> right to put files in one of places searched by ECL. Then using
> apropriatly prepared 'libecl.so.x.y' the adversary can hijack
> any ECL process.
To me, that security argument is just stupid. If I build ecl and make it
search in my home directory for a library, that is my choice. I could
put all sorts of nasty code in there. If an admin wants to use that
code, he should either trust the person that built it, or build it himself.
In fact, using LD_PRELOAD you can make any code you want execute rather
than the system one. I've has to use that myself when a system library
is broken.
IMHO, LD_LIBRARY_PATH should be used as a last resort - not as a first
choice.
More information about the ecl-devel
mailing list