From Fedora Project Wiki
Line 77: Line 77:
  
 
== Scope ==
 
== Scope ==
* Proposal owners:
+
* Proposal owners: Merge the [https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/132 PR] to redhat-rpm-config to enable running the check-rpaths script after %install.
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
Merge the PR to redhat-rpm-config [PR link] to enable running of the check-rpaths script after %install.
+
* Other developers: After merging the changes to redhat-rpm-config the affected package maintainers that will see their packages' builds fail, will need to review their usage of RPATH and either remove it or workaround the issue.
 +
** List of affected packages:
 +
*** audiofile
 +
*** binutils
 +
*** esc
 +
*** ettercap
 +
*** freeradius
 +
*** fortune-mod
 +
*** fcl
 +
*** eb
 +
*** conky-manager
 +
*** condor
 +
*** community-mysql
 +
*** czmq
 +
*** cfitsio
 +
*** compat-guile18
 +
*** glib2
 +
*** gnokii
 +
*** koffice-kivio
 +
*** kicad
 +
*** jq
 +
*** komparator
 +
*** k3guitune
 +
*** laszip
 +
*** levmar
 +
*** hdf
 +
*** gpick
 +
*** kdepim3
 +
*** gpgme
 +
*** Io-language
 +
*** kdegames3
 +
*** gupnp-dlna
 +
*** kdebase3
 +
*** libcommuni
 +
*** lutok
 +
*** libburn
 +
*** libminc
 +
*** libisoburn
 +
*** liboping
 +
*** librfid
 +
*** mingw-qt5-qtdeclarative
 +
*** libkkc
 +
*** openjade
 +
*** libdxfrw
 +
*** libosip2
 +
*** libeXosip2
 +
*** NLopt
 +
*** libprelude
 +
*** mingw-qt5-qt3d
 +
*** mod_wsgi
 +
*** libXcm
 +
*** ncview
 +
*** libdkimpp
 +
*** mingw-qt5-qttools
 +
*** mcpp
 +
*** mingw-qt5-qtbase
 +
*** mongo-c-driver
 +
*** nightview
 +
*** openscap
 +
*** plotmm
 +
*** pam_yubico
 +
*** perl-SDL
 +
*** pinentry
 +
*** pam_mount
 +
*** python2.7
 +
*** rb_libtorrent
 +
*** rrdtool
 +
*** rarian
 +
*** qwtpolar
 +
*** qucs
 +
*** scipy
 +
*** tracker
 +
*** SDL_image
 +
*** sofia-sip
 +
*** scap-workbench
 +
*** woff2
 +
*** xeus
 +
*** yaz
 +
*** stp
 +
*** suitesparse
 +
*** usnic-tools
 +
*** sqlite2
 +
*** vanessa_logger
 +
*** xbsql
 +
*** tracker-miners
 +
*** WindowMaker
 +
*** xmms
 +
*** sylfilter
 +
*** verbiste
 +
*** zvbi
 +
*** xdotool
 +
*** texlive-base
 +
*** zinnia
  
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] This change doesn't require coordination with rel-eng, as any issues will be caught during the regular mass rebuild of packages.<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
 
Fix the affected packages
 
List of packages
 
 
 
audiofile
 
binutils
 
esc
 
ettercap
 
freeradius
 
fortune-mod
 
fcl
 
eb
 
conky-manager
 
condor
 
community-mysql
 
czmq
 
cfitsio
 
compat-guile18
 
glib2
 
gnokii
 
koffice-kivio
 
kicad
 
jq
 
komparator
 
k3guitune
 
laszip
 
levmar
 
hdf
 
gpick
 
kdepim3
 
gpgme
 
Io-language
 
kdegames3
 
gupnp-dlna
 
kdebase3
 
libcommuni
 
lutok
 
libburn
 
libminc
 
libisoburn
 
liboping
 
librfid
 
mingw-qt5-qtdeclarative
 
libkkc
 
openjade
 
libdxfrw
 
libosip2
 
libeXosip2
 
NLopt
 
libprelude
 
mingw-qt5-qt3d
 
mod_wsgi
 
libXcm
 
ncview
 
libdkimpp
 
mingw-qt5-qttools
 
mcpp
 
mingw-qt5-qtbase
 
mongo-c-driver
 
nightview
 
openscap
 
plotmm
 
pam_yubico
 
perl-SDL
 
pinentry
 
pam_mount
 
rb_libtorrent
 
rrdtool
 
rarian
 
qwtpolar
 
qucs
 
scipy
 
tracker
 
SDL_image
 
sofia-sip
 
scap-workbench
 
woff2
 
xeus
 
yaz
 
stp
 
suitesparse
 
sqlite2
 
vanessa_logger
 
xbsql
 
tracker-miners
 
WindowMaker
 
xmms
 
sylfilter
 
verbiste
 
zvbi
 
xdotool
 
texlive-base
 
zinnia
 
 
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
 
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
  
* Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Policies and guidelines: The guidelines will be overhauled to take into account accepted usage or RPATH, clarification of the policy and ways to opt-out <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. Please submit a pull request with the proposed changes before submitting your Change proposal. -->
 
Guidelines need to change, link to PR
 
  
 
* Trademark approval: N/A (not needed for this Change)
 
* Trademark approval: N/A (not needed for this Change)
 
* Alignment with Objectives:
 
<!-- Does your proposal align with the current Fedora Objectives: https://docs.fedoraproject.org/en-US/project/objectives/ ? It's okay if it doesn't, but it's something to consider -->
 
  
 
== Upgrade/compatibility impact ==
 
== Upgrade/compatibility impact ==

Revision as of 15:33, 3 May 2021


Change Proposal Name

Enable RPATH detection during rpmbuild.

Summary

Enable RPATH detection during rpmbuild. This will make the build fail in the case a hard-coded RPATH was detected within a binary or a shared library file.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-05-03
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The dynamic linker and loader (ld.so) is responsible for resolving runtime dependencies of executables and shared library files through a search hierarchy. However some packages (usually through their upstream buildsystems) contain a hard-coded path within their binaries or .so files, by using the -R or -rpath flag during compilation, which is referred to as RPATH. By utilizing RPATH, ELF files can point to directories to be included in the search path, on runtime, to resolve their dependencies.

While RPATH can be used for non-standard directories, such as a place containing private libraries of the project, when it points to a value already provided by the search path of ld.so it changes the hierarchy of the search, by placing the system defaults first.

(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults

This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues (In a similar manner as as adding /usr/lib64 to LD_LIBRARY_PATH).

Another problem of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory not managed by the system, where some malicious actor has write permissions to, it's relatively easy to execute arbitrary code.

Performance can be affected as well, since probing explicitly e.g. /usr/lib64 through RPATH adds extra open/openat system calls to the process startup.

In Fedora the use of RPATH is forbidden, but it was never enforced. This change intends to ratify that by running /usr/lib/rpm/check-rpaths during rpmbuild, after %install, and fail the build if an RPATH entry was detected.

Feedback

The change has been proposed a long time ago through FPC and the general consensus is that it needs to be done, along with an overhaul of the Fedora documentation in regards to RPATH.

An email thread was also started on Fedora devel regarding this change.

There have been multiple requests in the past to enable that check, as well as various attempts to remove RPATH's from packages in the distro. 0 123

As for other distributions, Debian discourages the use of RPATH, openSUSE forbids it by running the check from rpmlint after every package build and Arch and Gentoo point out to possible insecure usage at their respective documentation pages.

Benefit to Fedora

Improved performance, security, compliance with the guidelines, reducing of RPATH related bugs.


Scope

  • Proposal owners: Merge the PR to redhat-rpm-config to enable running the check-rpaths script after %install.
  • Other developers: After merging the changes to redhat-rpm-config the affected package maintainers that will see their packages' builds fail, will need to review their usage of RPATH and either remove it or workaround the issue.
    • List of affected packages:
      • audiofile
      • binutils
      • esc
      • ettercap
      • freeradius
      • fortune-mod
      • fcl
      • eb
      • conky-manager
      • condor
      • community-mysql
      • czmq
      • cfitsio
      • compat-guile18
      • glib2
      • gnokii
      • koffice-kivio
      • kicad
      • jq
      • komparator
      • k3guitune
      • laszip
      • levmar
      • hdf
      • gpick
      • kdepim3
      • gpgme
      • Io-language
      • kdegames3
      • gupnp-dlna
      • kdebase3
      • libcommuni
      • lutok
      • libburn
      • libminc
      • libisoburn
      • liboping
      • librfid
      • mingw-qt5-qtdeclarative
      • libkkc
      • openjade
      • libdxfrw
      • libosip2
      • libeXosip2
      • NLopt
      • libprelude
      • mingw-qt5-qt3d
      • mod_wsgi
      • libXcm
      • ncview
      • libdkimpp
      • mingw-qt5-qttools
      • mcpp
      • mingw-qt5-qtbase
      • mongo-c-driver
      • nightview
      • openscap
      • plotmm
      • pam_yubico
      • perl-SDL
      • pinentry
      • pam_mount
      • python2.7
      • rb_libtorrent
      • rrdtool
      • rarian
      • qwtpolar
      • qucs
      • scipy
      • tracker
      • SDL_image
      • sofia-sip
      • scap-workbench
      • woff2
      • xeus
      • yaz
      • stp
      • suitesparse
      • usnic-tools
      • sqlite2
      • vanessa_logger
      • xbsql
      • tracker-miners
      • WindowMaker
      • xmms
      • sylfilter
      • verbiste
      • zvbi
      • xdotool
      • texlive-base
      • zinnia
  • Release engineering: #Releng issue number This change doesn't require coordination with rel-eng, as any issues will be caught during the regular mass rebuild of packages.
  • Policies and guidelines: The guidelines will be overhauled to take into account accepted usage or RPATH, clarification of the policy and ways to opt-out
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

How To Test

Copr repo Local changes


User Experience

Packagers will have

Dependencies

Merge the PR to redhat-rpm-config

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

Revert the change

Documentation

N/A (not a System Wide Change)

Release Notes