[Ecls-list] ECL build issues
Matthew Mondor
mm_lists at pulsar-zone.net
Tue Aug 4 00:36:16 UTC 2009
On Tue, 04 Aug 2009 00:06:17 +0100
"Dr. David Kirkby" <david.kirkby at onetel.net> wrote:
> > Setting LD_LIBRARY_PATH used to be not necessary. But some time
> > ago ECL was modified at request of security folks. Namely, to
> > automatically find its shared library ECL used 'rpath' feature.
> > This feature is considered dangerous by security folks -- using
> > 'rpath' means that ECL will search for its library in a set
> > of directories specified at build time. If ECL binary is is later
> > installed on other machine it may happen that an adversary has
> > right to put files in one of places searched by ECL. Then using
> > apropriatly prepared 'libecl.so.x.y' the adversary can hijack
> > any ECL process.
>
> To me, that security argument is just stupid. If I build ecl and make it
> search in my home directory for a library, that is my choice. I could
> put all sorts of nasty code in there. If an admin wants to use that
> code, he should either trust the person that built it, or build it himself.
It appears to me that RPATH is better than ld.so.conf/ldconfig,
and that LD_LIBRARY_PATH is similar to ld.so.conf yet even worse as it
allows to affect ld paths without special privileges. Moreover,
non-privileged users shouldn't be able to write to standard library
paths. If one builds an application with RPATHs set to less secure
directories it's probably that very person's problem, IMO.
--
Matt
More information about the ecl-devel
mailing list