#2280 PR merged: Improved check for missing libraries in 990_verify_rootfs.sh (issue 2279)¶
Labels: enhancement, documentation, cleanup,
fixed / solved / done
jsmeix opened issue at 2019-11-19 16:04:¶
-
Type: Enhancement
-
Impact: Normal (sometimes even High)
-
Reference to related issue (URL):
https://github.com/rear/rear/issues/2279 -
How was this pull request tested?
On my openSUSE Leap 15.0 system:
# time usr/sbin/rear -D mkrescue
...
Copying all kernel modules in /lib/modules/4.12.14-lp150.12.79-default (MODULES contains 'all_modules')
Copying all files in /lib*/firmware/
...
Testing that the recovery system in /tmp/rear.SrlUTo4b7fvtlHL/rootfs contains a usable system
...
Exiting rear mkrescue (PID 13565) and its descendant processes
real 1m2.146s
user 0m49.257s
sys 0m8.092s
- Brief description of the changes in this pull request:
See
https://github.com/rear/rear/issues/2279#issuecomment-555562821
plus skip the ldd test for firmware files.
and redirected stderr of ldd avoids tons of ldd warnings in the log
like
ldd: warning: you do not have execution permission for ..., cf.
https://blog.schlomo.schapiro.org/2015/04/warning-is-waste-of-my-time.html
jsmeix commented at 2019-11-22 11:43:¶
Now I also explained the possible ldd security issue
with things like COPY_AS_IS+=( /home/JohnDoe )
in default.conf.
I would like to merge it as is for now because it works
and I would like to do a mitigation of the ldd security issue
in a separated pull request.
From my explanation of the ldd security issue
as we use it in the RequiredSharedObjects function
my offanded idea to mitigate this ldd security issue is
to run ldd only on files that are owned by 'root' on the original
system
becaue I think a file can be trusted when 'root' is its owner.
[Export of Github issue for rear/rear.]