From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B7D0CDB465 for ; Mon, 16 Oct 2023 10:47:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229668AbjJPKrJ (ORCPT ); Mon, 16 Oct 2023 06:47:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230219AbjJPKrJ (ORCPT ); Mon, 16 Oct 2023 06:47:09 -0400 Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC777AC for ; Mon, 16 Oct 2023 03:47:05 -0700 (PDT) Received: by smtp.gentoo.org (Postfix, from userid 559) id 6B6B6335D21; Mon, 16 Oct 2023 10:47:05 +0000 (UTC) Date: Mon, 16 Oct 2023 16:32:02 +0545 From: Mike Frysinger To: Siddhesh Poyarekar Cc: linux-man@vger.kernel.org, alx.manpages@gmail.com Subject: Re: [PATCH] ldd: Do not recommend binutils as the safer option Message-ID: References: <20231016061923.105814-1-siddhesh@gotplt.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="iSV4o++OVtbY9qUx" Content-Disposition: inline In-Reply-To: <20231016061923.105814-1-siddhesh@gotplt.org> Precedence: bulk List-ID: X-Mailing-List: linux-man@vger.kernel.org --iSV4o++OVtbY9qUx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On 16 Oct 2023 02:19, Siddhesh Poyarekar wrote: > The binutils security policy[1] states that diagnostic tools should not > be expected to be safe without sandboxing, so it doesn't make sense to > recommend it as the alternative to ldd, especially since it is not a > drop-in replacement. Recommend sandboxing instead, since that is in > fact the safest known way at the moment to deal with untrusted binaries. fwiw, this is one reason why i wrote `lddtree` (although the primary reason was cross-compiling and separate-root dirs). it's part of the pax-utils project that's available in most distros now. -mike --iSV4o++OVtbY9qUx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEuQK1JxMl+JKsJRrUQWM7n+g39YEFAmUtFJ8ACgkQQWM7n+g3 9YGSmQ//Y4Bxof5y1fcQ7fP1zdxqLux98YkuuYIxz+1sENfxxSC0abRYZLwxfyJW RwT1ZMJmpozOOPCXoNJKl/wnxA64cmA7R7goBAGfYfqjdP/0UvB24bJDJnaB0Mw4 9iBZvF4XCTaF7HPs5rissifan9wWJrder3CLNo6f3/Mu5EaqO6rnak+bvLs/ws9t 8gxjl2LAvSUrcyGsIl5ptokLBZPE+veIRkLKbKnx3xJufNDosvTXzlGKYYdZ1a4B GN4ElrE3q5eHAqaPqUCubBWQew6kUi4J9K9foAB9/ZFzkIJIMgFIp1Rgnb+NpQKe Lpkrbk3/ZYWICig3vKe/McfD1lOLXIIvGZzsdZocU85VR9JsLTGAhYhGq0uaokc1 T9OE/JkM+1Vky2bVEyGIU32W92T1ColvBgj/vI4czThuywwQMPM/yDvsVu23O1qD NghV74enu2hV/Q1VFvq0Hf526Bsi9CX+eIlBrYBZZOo0nXDhGjw7DYvZEE9WTNMF EvPYPevPQGcnoJiaWofJCaM0d4fbzuUXYw0Zd7KTkftIMhF7+RMKbgzLhU83Ex7F vEHMC0A7r8NgY4+pwmsIDlXtaiBSPasmQLBbQfoYdaE1MkGk8n9Z6CSSZyQXeil/ OTWZ8VG4vwPM24XpAHAsjoaxMoAT3E+a0jWGF+PA7A/dClyqb9w= =3aMU -----END PGP SIGNATURE----- --iSV4o++OVtbY9qUx--