On Fri, Dec 19, 2014 at 11:49:49PM +0100, Martin Carpenter wrote: > Package: debian-policy > Severity: important > Tags: patch > > Dear Maintainer, > > The existing policy does not specify that the RPATH or RUNPATH (if > present) should not contain relative paths or paths that traverse > dangerous (eg world writable) directories. There is some discussion > of this on the OSS-security list starting at: > http://seclists.org/oss-sec/2014/q4/761 > > Example bugs that could be avoided with such a policy: > https://bugs.debian.org/754278 > https://bugs.debian.org/759868
Alas policy by itself does not prevent bugs, a lintian test is more efficient, > (There is an existing check for RPATH in lintian > (binary-or-shlib-defines-rpath) but it is only "Certainty: possible" > due to possible caveats. Relative RPATH/RUNPATH on the other hand is > slam-dunk certain). Then maybe lintian should have a separate test for relative RPATH/RUNPATH. > There is some good discussion in these last two reports but they are > both stale (5 years). I suspect that this is because the scope of these > proposals is quite broad. Therefore I'd like to propose a (hopefully > uncontraversial) paragraph that addresses at least the security concern > and that may provide a base for further refinements in the spirit of > #458824 and #555982 as well as a raison d'etre for a future lintian > check to help avoid these security exposures. It is not necessary to document in policy all the obvious invalid behaviours of packages prior to have them check by lintian. > > 8.7 RUNPATH and RPATH > > > > Libraries and executables should not define RPATH or RUNPATH unless > > absolutely necessary. > > > > Those that do should ensure that relative paths or paths that traverse > > insecure directories (eg /tmp or /var/tmp) are not included. This > > is to prevent an executable from loading a library from an untrusted > > location. (This should include the corner cases whereby the path list > > starts or ends with a colon, or includes two consecutive colons). I would further suggest we forbid /usr/lib and /usr/lib/<multiarch>/, and only allow RUNPATH to other subdirectories of /usr/lib (to support what policy call plug-in). Cheers, -- Bill. <ballo...@debian.org> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150205221605.GA28584@yellowpig
