Change Proposal Name
Enable RPATH detection during rpmbuild.
Enable RPATH detection during rpmbuild. This will make the build fail in the case a hard-coded RPATH was detected within a binary or a shared library file.
- Name: Charalampos Stratakis
- Email: cstratak AT redhat.com
- Targeted release: Fedora Linux 35
- Last updated: 2021-05-03
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
The dynamic linker and loader (ld.so) is responsible for resolving runtime dependencies of executables and shared library files through a search hierarchy. However some packages (usually through their upstream buildsystems) contain a hard-coded path within their binaries or .so files, by using the -R or -rpath flag during compilation, which is referred to as RPATH. By utilizing RPATH, ELF files can point to directories to be included in the search path, on runtime, to resolve their dependencies.
While RPATH can be used for non-standard directories, such as a place containing private libraries of the project, when it points to a value already provided by the search path of ld.so it changes the hierarchy of the search, by placing the system defaults first.
(a) DT_RPATH -> (b) LD_LIBRARY_PATH -> (c) DT_RUNPATH -> (d) cache (/etc/ld.so.cache) -> (e) system defaults
This could present a variety of issues, such as LD_LIBRARY_PATH overrides not working, incomplete dependency resolution, loading of wrong libraries etc. In general changing the default search hierarchy could lead to unforeseen bugs and issues (In a similar manner as as adding /usr/lib64 to LD_LIBRARY_PATH).
Another problem of a hardcoded RPATH is security. When an ELF object contains an RPATH pointed to a directory not managed by the system, where some malicious actor has write permissions to, it's relatively easy to execute arbitrary code.
Performance can be affected as well, since probing explicitly e.g. /usr/lib64 through RPATH adds extra open/openat system calls to the process startup.
In Fedora the use of RPATH is forbidden, but it was never enforced. This change intends to ratify that by running /usr/lib/rpm/check-rpaths during rpmbuild, after %install, and fail the build if an RPATH entry was detected.
The change has been proposed a long time ago through FPC and the general consensus is that it needs to be done, along with an overhaul of the Fedora documentation in regards to RPATH.
An email thread was also started on Fedora devel regarding this change.
Benefit to Fedora
Improved performance, security, compliance with the guidelines, reducing of RPATH related bugs.
- Proposal owners:
Merge the PR to redhat-rpm-config [PR link] to enable running of the check-rpaths script after %install.
- Other developers:
Fix the affected packages List of packages
audiofile binutils esc ettercap freeradius fortune-mod fcl eb conky-manager condor community-mysql czmq cfitsio compat-guile18 glib2 gnokii koffice-kivio kicad jq komparator k3guitune laszip levmar hdf gpick kdepim3 gpgme Io-language kdegames3 gupnp-dlna kdebase3 libcommuni lutok libburn libminc libisoburn liboping librfid mingw-qt5-qtdeclarative libkkc openjade libdxfrw libosip2 libeXosip2 NLopt libprelude mingw-qt5-qt3d mod_wsgi libXcm ncview libdkimpp mingw-qt5-qttools mcpp mingw-qt5-qtbase mongo-c-driver nightview openscap plotmm pam_yubico perl-SDL pinentry pam_mount rb_libtorrent rrdtool rarian qwtpolar qucs scipy tracker SDL_image sofia-sip scap-workbench woff2 xeus yaz stp suitesparse sqlite2 vanessa_logger xbsql tracker-miners WindowMaker xmms sylfilter verbiste zvbi xdotool texlive-base zinnia
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
Guidelines need to change, link to PR
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
How To Test
Copr repo Local changes
Packagers will have
Merge the PR to redhat-rpm-config
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Revert the change
N/A (not a System Wide Change)