[Ecls-list] ECL build issues
mm_lists at pulsar-zone.net
Tue Aug 4 00:36:16 UTC 2009
On Tue, 04 Aug 2009 00:06:17 +0100
"Dr. David Kirkby" <david.kirkby at onetel.net> wrote:
> > Setting LD_LIBRARY_PATH used to be not necessary. But some time
> > ago ECL was modified at request of security folks. Namely, to
> > automatically find its shared library ECL used 'rpath' feature.
> > This feature is considered dangerous by security folks -- using
> > 'rpath' means that ECL will search for its library in a set
> > of directories specified at build time. If ECL binary is is later
> > installed on other machine it may happen that an adversary has
> > right to put files in one of places searched by ECL. Then using
> > apropriatly prepared 'libecl.so.x.y' the adversary can hijack
> > any ECL process.
> To me, that security argument is just stupid. If I build ecl and make it
> search in my home directory for a library, that is my choice. I could
> put all sorts of nasty code in there. If an admin wants to use that
> code, he should either trust the person that built it, or build it himself.
It appears to me that RPATH is better than ld.so.conf/ldconfig,
and that LD_LIBRARY_PATH is similar to ld.so.conf yet even worse as it
allows to affect ld paths without special privileges. Moreover,
non-privileged users shouldn't be able to write to standard library
paths. If one builds an application with RPATHs set to less secure
directories it's probably that very person's problem, IMO.
More information about the ecl-devel