From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-9665-listarch-libc-hacker=sources.redhat.com@sourceware.org>
Received: (qmail 6475 invoked by alias); 10 Dec 2010 09:19:46 -0000
Received: (qmail 6415 invoked by uid 22791); 10 Dec 2010 09:19:39 -0000
X-SWARE-Spam-Status: No, hits=-2.0 required=5.0
	tests=AWL,BAYES_00,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 10 Dec 2010 09:19:26 +0000
Received: from sunsite.mff.cuni.cz (localhost [127.0.0.1])
	by sunsite.mff.cuni.cz (8.14.4/8.14.4) with ESMTP id oBA9J3ot020256;
	Fri, 10 Dec 2010 10:19:03 +0100
Received: (from jj@localhost)
	by sunsite.mff.cuni.cz (8.14.4/8.14.4/Submit) id oBA9J3Va020255;
	Fri, 10 Dec 2010 10:19:03 +0100
Date: Fri, 10 Dec 2010 09:19:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Andreas Schwab <schwab@redhat.com>
Cc: Ulrich Drepper <drepper@gmail.com>, libc-hacker@sourceware.org
Subject: Re: [PATCH] Ignore origin of privileged program
Message-ID: <20101210091902.GB19887@sunsite.ms.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
References: <m38vzz57gp.fsf@redhat.com>
 <AANLkTinR2Vuc64aar97SVR=49m98Sg2LPAVJkzFXBK07@mail.gmail.com>
 <m3sjy63til.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <m3sjy63til.fsf@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-hacker.sourceware.org>
List-Subscribe: <mailto:libc-hacker-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sourceware.org>
List-Help: <mailto:libc-hacker-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-hacker-owner@sourceware.org
X-SW-Source: 2010-12/txt/msg00004.txt.bz2

On Fri, Dec 10, 2010 at 09:46:10AM +0100, Andreas Schwab wrote:
> Ulrich Drepper <drepper@gmail.com> writes:
> 
> > On Thu, Dec 9, 2010 at 09:47, Andreas Schwab <schwab@redhat.com> wrote:
> >> 2010-12-09  Andreas Schwab  <schwab@redhat.com>
> >>
> >>        * elf/dl-object.c (_dl_new_object): Ignore origin of privileged
> >>        program.
> >
> > The check should also have a whitelist for programs in
> > {,/usr}/lib{,64}, similar to the DSO tests.
> 
> I don't think this is useful.  Libraries are not installed alongside
> programs and privileged programs can only use $ORIGIN exactly.

Well, for some of the iconv modules which use $ORIGIN that is
/usr/lib{,64}/gconv and we certainly need to do something about them,
either stop using $ORIGIN there, or make $ORIGIN be allowed to
/usr/lib{,64}/gconv, etc.