/usr/lib/rpm/check-rpaths-worker is in rpm 4.12.0.2+dfsg1-2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 | #! /bin/bash
# Copyright (C) 2004 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
fail=
already_shown=0
# effect of this expression is obviously:
# * match paths beginning with:
# - $SOMETHING/<something>/..
# - /<something>/..
# * but not paths beginning with
# - $SOMETHING/..
# - $SOMETHING/../../../.....
BADNESS_EXPR_32='\(\(\$[^/]\+\)\?\(/.*\)\?/\(\([^.][^/]*\)\|\(\.[^./][^/]*\)\|\(\.\.[^/]\+\)\)\)/\.\.\(/.*\)\?$'
function showHint()
{
test "$already_shown" -eq 0 || return
already_shown=1
cat <<EOF >&2
*******************************************************************************
*
* WARNING: 'check-rpaths' detected a broken RPATH and will cause 'rpmbuild'
* to fail. To ignore these errors, you can set the '\$QA_RPATHS'
* environment variable which is a bitmask allowing the values
* below. The current value of QA_RPATHS is $(printf '0x%04x' $QA_RPATHS).
*
* 0x0001 ... standard RPATHs (e.g. /usr/lib); such RPATHs are a minor
* issue but are introducing redundant searchpaths without
* providing a benefit. They can also cause errors in multilib
* environments.
* 0x0002 ... invalid RPATHs; these are RPATHs which are neither absolute
* nor relative filenames and can therefore be a SECURITY risk
* 0x0004 ... insecure RPATHs; these are relative RPATHs which are a
* SECURITY risk
* 0x0008 ... the special '\$ORIGIN' RPATHs are appearing after other
* RPATHs; this is just a minor issue but usually unwanted
* 0x0010 ... the RPATH is empty; there is no reason for such RPATHs
* and they cause unneeded work while loading libraries
* 0x0020 ... an RPATH references '..' of an absolute path; this will break
* the functionality when the path before '..' is a symlink
*
*
* Examples:
* - to ignore standard and empty RPATHs, execute 'rpmbuild' like
* \$ QA_RPATHS=\$[ 0x0001|0x0010 ] rpmbuild my-package.src.rpm
* - to check existing files, set \$RPM_BUILD_ROOT and execute check-rpaths like
* \$ RPM_BUILD_ROOT=<top-dir> /usr/lib/rpm/check-rpaths
*
*******************************************************************************
EOF
}
function msg()
{
local val=$1
local cmp=$2
local msg=
local fail=
local code
test $[ $val & $cmp ] -ne 0 || return 0
code=$(printf '%04x' $cmp)
if test $[ $val & ~$QA_RPATHS ] -eq 0; then
msg="WARNING"
else
showHint
msg="ERROR "
fail=1
fi
shift 2
echo "$msg $code: $@" >&2
test -z "$fail"
}
: ${QA_RPATHS:=0}
old_IFS=$IFS
for i; do
pos=0
rpath=$(readelf -d "$i" 2>/dev/null | LANG=C grep '(RPATH).*:') || continue
rpath=$(echo "$rpath" | LANG=C sed -e 's!.*(RPATH).*: \[\(.*\)\]!\1!p;d')
tmp=aux:$rpath:/lib/aux || :
IFS=:
set -- $tmp
IFS=$old_IFS
shift
allow_ORIGIN=1
for j; do
new_allow_ORIGIN=0
if test -z "$j"; then
badness=16
elif expr match "$j" "$BADNESS_EXPR_32" >/dev/null; then
badness=32
else
case "$j" in
(/lib/*|/usr/lib/*|/usr/X11R6/lib/*|/usr/local/lib/*)
badness=0;;
(/lib64/*|/usr/lib64/*|/usr/X11R6/lib64/*|/usr/local/lib64/*)
badness=0;;
(\$ORIGIN|\${ORIGINX}|\$ORIGIN/*|\${ORIGINX}/*)
test $allow_ORIGIN -eq 0 && badness=8 || {
badness=0
new_allow_ORIGIN=1
}
;;
(/*\$PLATFORM*|/*\${PLATFORM}*|/*\$LIB*|/*\${LIB}*)
badness=0;;
(/lib|/usr/lib|/usr/X11R6/lib)
badness=1;;
(/lib64|/usr/lib64|/usr/X11R6/lib64)
badness=1;;
(.*)
badness=4;;
(*) badness=2;;
esac
fi
allow_ORIGIN=$new_allow_ORIGIN
base=${i##$RPM_BUILD_ROOT}
msg "$badness" 1 "file '$base' contains a standard rpath '$j' in [$rpath]" || fail=1
msg "$badness" 2 "file '$base' contains an invalid rpath '$j' in [$rpath]" || fail=1
msg "$badness" 4 "file '$base' contains an insecure rpath '$j' in [$rpath]" || fail=1
msg "$badness" 8 "file '$base' contains the \$ORIGIN rpath specifier at the wrong position in [$rpath]" || fail=1
msg "$badness" 16 "file '$base' contains an empty rpath in [$rpath]" || fail=1
msg "$badness" 32 "file '$base' contains an rpath referencing '..' of an absolute path [$rpath]" || fail=2
let ++pos
done
done
test -z "$fail"
|