[uClibc] RE: [uClibc-cvs] svn commit: trunk/uClibc/ldso/ldso: armcris i386 m68k mips powerpc sh sh64 etc...

Rob Landley rob at landley.net
Sun Mar 20 17:11:26 UTC 2005 

On Friday 18 March 2005 09:25 am, Mike Frysinger wrote:
> On Friday 18 March 2005 02:34 am, Joakim Tjernlund wrote:
> > > On Thursday 17 March 2005 10:40 pm, Erik Andersen wrote:
> > > > On Thu Mar 17, 2005 at 06:38:15PM -0500, Rob Landley wrote:
> > > > > Okay, stated another way:
> > > > >
> > > > > Considering that we haven't had this for the past X years and
> > > > > have gotten along fine without it, what use cases actually
> > > > > _need_ it?  (What does adding it buy us, other than "being like
> > > > > glibc"?)
> >
> > It has been requested on the ml a few times. Last reference I have is
> > http://cvs.uclibc.org/lists/uclibc/2004-September/009898.html
>
> and as long as it's a CONFIG option (which i dont think would be hard to
> add), it's really a non-issue

Pretty much.  It's just a new potential security hole (for uClibc, glibc's had 
it for a long time) that will be in the next release that wasn't in the last 
release.  I'm not saying we shouldn't have it, just that we shouldn't spring 
it on users without warning.

> for the sake of the security minded, we could just default it to off
> -mike

Yes, and comment about the security implications in the help would be very 
nice too.  "This feature can be used to bypass the "noexec" mount flag, so 
secure systems will disable it (or remove the executable bit from the 
ld-uClibc binary)."

Explaining why you'd want to use it should go in the same help entry, but 
the earlier post about using it to override library paths conflicts with a 
fact I'm doing ldd on the binaries in my knoppix and there ARE no full paths 
to libraries:

knoppix at ttyp2[knoppix]$ ldd /bin/ls
        librt.so.1 => /lib/tls/librt.so.1 (0x40027000)
        libacl.so.1 => /lib/libacl.so.1 (0x4002d000)
        libc.so.6 => /lib/tls/libc.so.6 (0x40035000)
        libpthread.so.0 => /lib/tls/libpthread.so.0 (0x40170000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
        libattr.so.1 => /lib/libattr.so.1 (0x4017f000)
knoppix at ttyp2[knoppix]$

The only thing with an absolute path is the library loader itself.  Is that 
what they're trying to override?  Or did stupid binary-only vendors hardcode 
paths to their libraries and refuse to fix their build?  (I.E. what's the 
special case where LD_LIBRARY_PATH isn't enough, so that you need this 
feature?)

Rob

More information about the uClibc mailing list