Check for RPATH

[Seirdy]

Like checksec, being able to detect RPATH and RUNPATH would be helpful; hardened binaries should exclude this information.

[timb-machine]

TBF, there's nothing wrong with DT_RPATH per se. It depends on the /value/ to which it is set. The real issues are unqualified paths (missing leading /, tree will be presumed to start from CWD), empty specifications (:: means CWD), use of $ORIGIN (can enable hardlink attacks since it expands to the location of the binary itself), libraries and/or directories that are world/group writable. Also, consider DT_RUNPATH too since this offers similar functionality.

[Seirdy]

On Sat, Mar 26, 2022 at 06:53:52AM -0700, Tim Brown wrote: TBF, there's nothing wrong with DT_RPATH per se. It depends on the /value/ to which it is set.

While this is true, I always felt that the value of checksec was making it really easy for people without a security background to run a quick test without worrying about exceptions like this.

The real issues are unqualified paths (missing leading /, tree will be presumed to start from CWD), empty specifications (:: means CWD), use of $ORIGIN (can enable hardlink attacks since it expands to the location of the binary itself), directories that are world/group writable. Also, consider DT_RUNPATH too since this offers similar functionality.

A check for these would certainly be better than simply checking for the simple presence of DT_RPATH and DT_RUNPATH. I think it's safe to first simply check for their presence and then consider implementing a check for their values, since people are somewhat accustomed to the former.