From Fedora Project Wiki
Line 83: Line 83:
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Merge the PR to redhat-rpm-config [PR link] to enable running of the check-rpaths script after %install.


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


Fix the packages
Fix the affected packages
List of packages
List of packages


audiofile
audiofile
abc
binutils
binutils
esc
esc
Line 179: Line 180:
texlive-base
texlive-base
zinnia
zinnia
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 189: Line 188:
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. -->


Guidelines need to change
Guidelines need to change, link to PR


* Trademark approval: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://pagure.io/Fedora-Council/tickets/issues ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->


* Alignment with Objectives:  
* Alignment with Objectives:  

Revision as of 13:58, 30 April 2021


Change Proposal Name

Enable RPATH detection during rpmbuild.

Summary

Enable RPATH detection during rpmbuild by using the check-rpaths script. This will make the build fail in case it detected a hard-coded RPATH within a binary or a shared library file.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-04-30
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The dynamic linker and loader (ld.so) is responsible for resolving runtime dependencies of executables and shared library files through a search hierarchy. However some packages (usually through their upstream buildsystems) contain a hard-coded path within their binaries or .so files, by using the -R or -rpath flag during compilation, which is referred to as RPATH. By utilizing RPATH, ELF files can point to directories to be included in the search path, on runtime, to resolve their dependencies.

While this can be used for non-standard directories, such as private libraries, when RPATH points to a value already provided by the search path of ld.so it changes the hierarchy of the search, by placing the system defaults first.

(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults

This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues. And it's the same issue as adding /usr/lib64 to LD_LIBRARY_PATH.

Another aspect of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory where some malicious actor has write permission to, malicious code execution can happen.

Performance is also affected, since probing explicitly e.g. /usr/lib64 through RPATH adds extra open/openat system calls to the process startup.

In Fedora the use of RPATH is forbidden, but it was never enforced. This change intends to ratify that by running check-rpaths during rpmbuild and fail the build if an RPATH entry was detected.

Feedback

The change has been proposed a long time ago through FPC [0] and the general consensus is that it needs to be done, along with an overhaul of the Fedora documentation in regards to RPATH.

An email was also sent on Fedora devel regarding this change [1].

There have been multiple requests in the past to enable that check as well. [2]

[0] https://pagure.io/packaging-committee/issue/886 [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7ZKGVM4XJ7QFRFZXTSGUT4K2MPDVV2XY/#W7LXPX4SIB57DDXXI4PQNKCFSOQMOL4S [2] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/WD6JWMDIORBYNL4C5UHOJQGDR3N7HZY3/#LB63Q2HSLPWRMR7UQVQOYVVTG346TDRZ [3] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/A5X7ENAITWTVZASJBLCXS5MXQ7BE2RS6/#A5X7ENAITWTVZASJBLCXS5MXQ7BE2RS6 [4] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YJUWD2K32CZAGCDYOAJH2ISA2WF5AMGW/#ORK6J2T4PEYDCNA44HLEONFTXI2A6TFC [5] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2GITTEQ7SC5T656AXQ3OHKDG4SLINXB6/#NT3W4PYENFF3FPWDOTJ2UNOGVLZA4DHV

Benefit to Fedora

Improved performance, security, compliance with the guidelines, reducing of RPATH related bugs.


Scope

  • Proposal owners:

Merge the PR to redhat-rpm-config [PR link] to enable running of the check-rpaths script after %install.

  • Other developers:

Fix the affected packages List of packages

audiofile binutils esc ettercap freeradius fortune-mod fcl eb conky-manager condor community-mysql czmq cfitsio compat-guile18 glib2 gnokii koffice-kivio kicad jq komparator k3guitune laszip levmar hdf gpick kdepim3 gpgme Io-language kdegames3 gupnp-dlna kdebase3 libcommuni lutok libburn libminc libisoburn liboping librfid mingw-qt5-qtdeclarative libkkc openjade libdxfrw libosip2 libeXosip2 NLopt libprelude mingw-qt5-qt3d mod_wsgi libXcm ncview libdkimpp mingw-qt5-qttools mcpp mingw-qt5-qtbase mongo-c-driver nightview openscap plotmm pam_yubico perl-SDL pinentry pam_mount rb_libtorrent rrdtool rarian qwtpolar qucs scipy tracker SDL_image sofia-sip scap-workbench woff2 xeus yaz stp suitesparse sqlite2 vanessa_logger xbsql tracker-miners WindowMaker xmms sylfilter verbiste zvbi xdotool texlive-base zinnia

  • Policies and guidelines: N/A (not needed for this Change)

Guidelines need to change, link to PR

  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

Copr repo Local changes


User Experience

Packagers will have

Dependencies

Merge the PR to redhat-rpm-config

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Revert the change

Documentation

N/A (not a System Wide Change)

Release Notes