Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607822

Summary: <sys-apps/openrc-0.44.10: runpath issue
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: AuditingAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: hardened, openrc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-01-31 16:05:55 UTC 
Dear Auditors,

the checksec script available at https://github.com/slimm609/checksec.sh is able to scan an elf through scanelf/readelf and report the hardening and/or the security status.

If the check goes well it is printed green, otherwise it is red.

While scanning some file provided by openrc, it prints the error about RUNPATH:

# sh checksec --file /bin/rc-status 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   RUNPATH      No      0               4       /bin/rc-status

The runpath issue comes up if the following contents exist:

# readelf -d /bin/rc-status  | grep runpath
 0x000000000000001d (RUNPATH)            Library runpath: [/lib64]

While I try to scan other executables I didn't get anything.


I didn't investigate deeply; can you clarify if this is something that we can report?

CC'ing hardened team if they know something about.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 19:54:00 UTC 
Seems to affect 0.43.5-r1, but not 0.44.10.

/var/db/repos/gentoo/sys-apps/openrc # readelf -d /var/tmp/portage/sys-apps/openrc-0.44.10/image/bin/rc-status  | grep runpath
/var/db/repos/gentoo/sys-apps/openrc # readelf -d /var/tmp/portage/sys-apps/openrc-0.43.5-r1/image/bin/rc-status  | grep runpath
 0x000000000000001d (RUNPATH)            Library runpath: [/lib64]