On 15/05/2013 2:09 a.m., Tsantilas Christos wrote:
On 05/14/2013 03:00 PM, Amos Jeffries wrote:
On 14/05/2013 11:13 p.m., Tsantilas Christos wrote:
On 05/14/2013 12:52 PM, Amos Jeffries wrote:
Currently, after squid build, the system admin have to update the ld.so
configuration or set LD_LIBRARY_PATH to load the correct openSSL
libraries.
That is what I mean. If they have to do that then we are not setting
CPPFLAGS quite right. They should only have to build --with-openssl=X to
use the X library installation. Nothing else special.
This is also for Kerveros, LDAP libraries, XML libraries, and expat
libraries. Probably this is requires a separate patch fixing all of
these...
Yes I think we are missing a while pile of potential -Wl,-rpath=X
settings which our ./configure.ac should be adding when relevant.
For squid binaries we have not to use the (dangerous) -Wl,-rpath=X
option to compiler but just pass the "-rpath X" to libtool. The libtool
knows how to handle this parameter.
For my education: What is so dangerous about it that you know of?
I find documentation that indicates the -L options get turned into
-rpath entries by the compiler, BUT for some compilers when -rpath is
specified explicitly the -L are all ignored. That -L auto-conversion
could be why it has been working for years without anyone noticing the
absence of -rpath in our builds.
ie the problem showing up for you in that ./conftest may be just a
problem specific for your platform?
I also find documentation hinting that when rpath in a binary is *empty*
it might cause security vulnerabilities due to the search patterns. But
that would mean what we are looking at is resolving danger, not adding it.
The scheme we need to follow is the following:
- In configure.ac script we need to store the library directory. For
example for openSSL library path:
SSLLIBDIR="$with_openssl/lib"
AC_SUBST(SSLLIBDIR)
- In Makefile.am set the _LDFLAGS parameter, for binaries. For example
for squid:
squid_LDFLAGS = -export-dynamic -dlopen force -rpath $(SSLLIBDIR)
You will want to work around the automake conditional
USE_LOADABLE_MODULES when appending to squid_LDFLAGS, but yes that is
probably better than going through the compiler.
Amos
