* [PATCH] ldd: Do not recommend binutils as the safer option
@ 2023-10-16 6:19 Siddhesh Poyarekar
2023-10-16 10:08 ` Alejandro Colomar
2023-10-16 10:47 ` Mike Frysinger
0 siblings, 2 replies; 8+ messages in thread
From: Siddhesh Poyarekar @ 2023-10-16 6:19 UTC (permalink / raw)
To: linux-man; +Cc: alx.manpages, siddhesh
The binutils security policy[1] states that diagnostic tools should not
be expected to be safe without sandboxing, so it doesn't make sense to
recommend it as the alternative to ldd, especially since it is not a
drop-in replacement. Recommend sandboxing instead, since that is in
fact the safest known way at the moment to deal with untrusted binaries.
[1] https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=binutils/SECURITY.txt
Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
---
man1/ldd.1 | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/man1/ldd.1 b/man1/ldd.1
index cca96ec4d..f86798566 100644
--- a/man1/ldd.1
+++ b/man1/ldd.1
@@ -94,20 +94,8 @@ Thus, you should
.I never
employ
.B ldd
-on an untrusted executable,
+on an untrusted executable without appropriate sandboxing,
since this may result in the execution of arbitrary code.
-A safer alternative when dealing with untrusted executables is:
-.PP
-.in +4n
-.EX
-$ \fBobjdump \-p /path/to/program | grep NEEDED\fP
-.EE
-.in
-.PP
-Note, however, that this alternative shows only the direct dependencies
-of the executable, while
-.B ldd
-shows the entire dependency tree of the executable.
.SH OPTIONS
.TP
.B \-\-version
--
2.41.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 6:19 [PATCH] ldd: Do not recommend binutils as the safer option Siddhesh Poyarekar
@ 2023-10-16 10:08 ` Alejandro Colomar
2023-10-16 13:28 ` Siddhesh Poyarekar
2023-10-16 10:47 ` Mike Frysinger
1 sibling, 1 reply; 8+ messages in thread
From: Alejandro Colomar @ 2023-10-16 10:08 UTC (permalink / raw)
To: Siddhesh Poyarekar; +Cc: linux-man, alx.manpages
[-- Attachment #1: Type: text/plain, Size: 1630 bytes --]
Hi Siddhesh,
On Mon, Oct 16, 2023 at 02:19:23AM -0400, Siddhesh Poyarekar wrote:
> The binutils security policy[1] states that diagnostic tools should not
> be expected to be safe without sandboxing, so it doesn't make sense to
> recommend it as the alternative to ldd, especially since it is not a
> drop-in replacement. Recommend sandboxing instead, since that is in
> fact the safest known way at the moment to deal with untrusted binaries.
>
> [1] https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=binutils/SECURITY.txt
>
> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
> ---
> man1/ldd.1 | 14 +-------------
> 1 file changed, 1 insertion(+), 13 deletions(-)
>
> diff --git a/man1/ldd.1 b/man1/ldd.1
> index cca96ec4d..f86798566 100644
> --- a/man1/ldd.1
> +++ b/man1/ldd.1
> @@ -94,20 +94,8 @@ Thus, you should
> .I never
> employ
> .B ldd
> -on an untrusted executable,
> +on an untrusted executable without appropriate sandboxing,
> since this may result in the execution of arbitrary code.
> -A safer alternative when dealing with untrusted executables is:
> -.PP
> -.in +4n
> -.EX
> -$ \fBobjdump \-p /path/to/program | grep NEEDED\fP
Should we maybe keep this example, and suggest using it with sandboxing?
Or is it not useful anymore?
Thanks,
Alex
> -.EE
> -.in
> -.PP
> -Note, however, that this alternative shows only the direct dependencies
> -of the executable, while
> -.B ldd
> -shows the entire dependency tree of the executable.
> .SH OPTIONS
> .TP
> .B \-\-version
> --
> 2.41.0
--
<https://www.alejandro-colomar.es/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 10:08 ` Alejandro Colomar
@ 2023-10-16 13:28 ` Siddhesh Poyarekar
2023-10-16 13:33 ` Alejandro Colomar
0 siblings, 1 reply; 8+ messages in thread
From: Siddhesh Poyarekar @ 2023-10-16 13:28 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: linux-man, alx.manpages
On 2023-10-16 06:08, Alejandro Colomar wrote:
> Hi Siddhesh,
>
> On Mon, Oct 16, 2023 at 02:19:23AM -0400, Siddhesh Poyarekar wrote:
>> The binutils security policy[1] states that diagnostic tools should not
>> be expected to be safe without sandboxing, so it doesn't make sense to
>> recommend it as the alternative to ldd, especially since it is not a
>> drop-in replacement. Recommend sandboxing instead, since that is in
>> fact the safest known way at the moment to deal with untrusted binaries.
>>
>> [1] https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=binutils/SECURITY.txt
>>
>> Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
>> ---
>> man1/ldd.1 | 14 +-------------
>> 1 file changed, 1 insertion(+), 13 deletions(-)
>>
>> diff --git a/man1/ldd.1 b/man1/ldd.1
>> index cca96ec4d..f86798566 100644
>> --- a/man1/ldd.1
>> +++ b/man1/ldd.1
>> @@ -94,20 +94,8 @@ Thus, you should
>> .I never
>> employ
>> .B ldd
>> -on an untrusted executable,
>> +on an untrusted executable without appropriate sandboxing,
>> since this may result in the execution of arbitrary code.
>> -A safer alternative when dealing with untrusted executables is:
>> -.PP
>> -.in +4n
>> -.EX
>> -$ \fBobjdump \-p /path/to/program | grep NEEDED\fP
>
> Should we maybe keep this example, and suggest using it with sandboxing?
> Or is it not useful anymore?
I don't see the point TBH. I wouldn't mind if that example was replaced
with lddtree as the alternative since it is functionally equivalent.
However it would be a safer recommendation to put that too inside a
sandbox because IMO you'd generally never want to run or even analyze
arbitrary executables without proper sandboxing.
Thanks,
Sid
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 13:28 ` Siddhesh Poyarekar
@ 2023-10-16 13:33 ` Alejandro Colomar
2023-10-16 13:46 ` Siddhesh Poyarekar
0 siblings, 1 reply; 8+ messages in thread
From: Alejandro Colomar @ 2023-10-16 13:33 UTC (permalink / raw)
To: Siddhesh Poyarekar; +Cc: linux-man, Mike Frysinger
[-- Attachment #1: Type: text/plain, Size: 842 bytes --]
Hi Siddhesh,
On Mon, Oct 16, 2023 at 09:28:39AM -0400, Siddhesh Poyarekar wrote:
> > Should we maybe keep this example, and suggest using it with sandboxing?
> > Or is it not useful anymore?
>
> I don't see the point TBH.
The point was to add another layer of security, in case the sanboxing is
not perfect.
> I wouldn't mind if that example was replaced
> with lddtree as the alternative since it is functionally equivalent. However
> it would be a safer recommendation to put that too inside a sandbox because
> IMO you'd generally never want to run or even analyze arbitrary executables
> without proper sandboxing.
Sure, I didn't know about lddtree. Feel free to use it.
Thanks,
Alex
P.S.:
I'm deprecating <alx.manpages@gmail.com>. Please use <alx@kernel.org>.
--
<https://www.alejandro-colomar.es/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 13:33 ` Alejandro Colomar
@ 2023-10-16 13:46 ` Siddhesh Poyarekar
2023-10-17 18:19 ` Adhemerval Zanella Netto
0 siblings, 1 reply; 8+ messages in thread
From: Siddhesh Poyarekar @ 2023-10-16 13:46 UTC (permalink / raw)
To: Alejandro Colomar; +Cc: linux-man, Mike Frysinger
On 2023-10-16 09:33, Alejandro Colomar wrote:
> Hi Siddhesh,
>
> On Mon, Oct 16, 2023 at 09:28:39AM -0400, Siddhesh Poyarekar wrote:
>>> Should we maybe keep this example, and suggest using it with sandboxing?
>>> Or is it not useful anymore?
>>
>> I don't see the point TBH.
>
> The point was to add another layer of security, in case the sanboxing is
> not perfect.
>
>> I wouldn't mind if that example was replaced
>> with lddtree as the alternative since it is functionally equivalent. However
>> it would be a safer recommendation to put that too inside a sandbox because
>> IMO you'd generally never want to run or even analyze arbitrary executables
>> without proper sandboxing.
>
> Sure, I didn't know about lddtree. Feel free to use it.
Mike, could you please post a patch replacing the objdump example with
lddtree and recommending sandboxing?
Thanks,
Sid
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 13:46 ` Siddhesh Poyarekar
@ 2023-10-17 18:19 ` Adhemerval Zanella Netto
0 siblings, 0 replies; 8+ messages in thread
From: Adhemerval Zanella Netto @ 2023-10-17 18:19 UTC (permalink / raw)
To: Siddhesh Poyarekar, Alejandro Colomar; +Cc: linux-man, Mike Frysinger
On 16/10/23 10:46, Siddhesh Poyarekar wrote:
> On 2023-10-16 09:33, Alejandro Colomar wrote:
>> Hi Siddhesh,
>>
>> On Mon, Oct 16, 2023 at 09:28:39AM -0400, Siddhesh Poyarekar wrote:
>>>> Should we maybe keep this example, and suggest using it with sandboxing?
>>>> Or is it not useful anymore?
>>>
>>> I don't see the point TBH.
>>
>> The point was to add another layer of security, in case the sanboxing is
>> not perfect.
>>
>>> I wouldn't mind if that example was replaced
>>> with lddtree as the alternative since it is functionally equivalent. However
>>> it would be a safer recommendation to put that too inside a sandbox because
>>> IMO you'd generally never want to run or even analyze arbitrary executables
>>> without proper sandboxing.
>>
>> Sure, I didn't know about lddtree. Feel free to use it.
>
> Mike, could you please post a patch replacing the objdump example with lddtree and recommending sandboxing?
Sometime ago I created a tool that tried to mimic glibc loader algorithm [1]
as close as possible, including support to read ld.so.cache directly
(including its multiple versions and hwcap support), support for ld.preaload
file, $PLATFORM support, and hwcap support.
I think the only missing support and the kernel addresses and vdso, which
is not possible without actually loading the binary.
[1] https://github.com/zatrazz/rldd
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 6:19 [PATCH] ldd: Do not recommend binutils as the safer option Siddhesh Poyarekar
2023-10-16 10:08 ` Alejandro Colomar
@ 2023-10-16 10:47 ` Mike Frysinger
2023-10-16 11:22 ` Alejandro Colomar
1 sibling, 1 reply; 8+ messages in thread
From: Mike Frysinger @ 2023-10-16 10:47 UTC (permalink / raw)
To: Siddhesh Poyarekar; +Cc: linux-man, alx.manpages
[-- Attachment #1: Type: text/plain, Size: 614 bytes --]
On 16 Oct 2023 02:19, Siddhesh Poyarekar wrote:
> The binutils security policy[1] states that diagnostic tools should not
> be expected to be safe without sandboxing, so it doesn't make sense to
> recommend it as the alternative to ldd, especially since it is not a
> drop-in replacement. Recommend sandboxing instead, since that is in
> fact the safest known way at the moment to deal with untrusted binaries.
fwiw, this is one reason why i wrote `lddtree` (although the primary reason
was cross-compiling and separate-root dirs). it's part of the pax-utils
project that's available in most distros now.
-mike
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ldd: Do not recommend binutils as the safer option
2023-10-16 10:47 ` Mike Frysinger
@ 2023-10-16 11:22 ` Alejandro Colomar
0 siblings, 0 replies; 8+ messages in thread
From: Alejandro Colomar @ 2023-10-16 11:22 UTC (permalink / raw)
To: Mike Frysinger; +Cc: Siddhesh Poyarekar, linux-man, alx.manpages
[-- Attachment #1: Type: text/plain, Size: 1493 bytes --]
On Mon, Oct 16, 2023 at 04:32:02PM +0545, Mike Frysinger wrote:
> On 16 Oct 2023 02:19, Siddhesh Poyarekar wrote:
> > The binutils security policy[1] states that diagnostic tools should not
> > be expected to be safe without sandboxing, so it doesn't make sense to
> > recommend it as the alternative to ldd, especially since it is not a
> > drop-in replacement. Recommend sandboxing instead, since that is in
> > fact the safest known way at the moment to deal with untrusted binaries.
>
> fwiw, this is one reason why i wrote `lddtree` (although the primary reason
> was cross-compiling and separate-root dirs). it's part of the pax-utils
> project that's available in most distros now.
> -mike
Hi Mike,
Is there a manual page for lddtree(1)?
alx@debian:~$ man lddtree
No manual entry for lddtree
alx@debian:~$ apt-file show pax-utils
pax-utils: /usr/bin/dumpelf
pax-utils: /usr/bin/lddtree
pax-utils: /usr/bin/pspax
pax-utils: /usr/bin/scanelf
pax-utils: /usr/bin/scanmacho
pax-utils: /usr/bin/symtree
pax-utils: /usr/share/doc/pax-utils/changelog.Debian.gz
pax-utils: /usr/share/doc/pax-utils/copyright
pax-utils: /usr/share/man/man1/dumpelf.1.gz
pax-utils: /usr/share/man/man1/pspax.1.gz
pax-utils: /usr/share/man/man1/scanelf.1.gz
pax-utils: /usr/share/man/man1/scanmacho.1.gz
Would you mind pointing to some documentation for it? Or write a page
if you feel like. :)
Cheers,
Alex
--
<https://www.alejandro-colomar.es/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-10-17 18:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-16 6:19 [PATCH] ldd: Do not recommend binutils as the safer option Siddhesh Poyarekar
2023-10-16 10:08 ` Alejandro Colomar
2023-10-16 13:28 ` Siddhesh Poyarekar
2023-10-16 13:33 ` Alejandro Colomar
2023-10-16 13:46 ` Siddhesh Poyarekar
2023-10-17 18:19 ` Adhemerval Zanella Netto
2023-10-16 10:47 ` Mike Frysinger
2023-10-16 11:22 ` Alejandro Colomar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).