Index | Thread | Search

From:
Tim van der Molen <tim@kariliq.nl>
Subject:
rdist: fix noexec option
To:
tech@openbsd.org
Date:
Wed, 6 Aug 2025 13:33:04 +0200

Download raw body.

Thread 
rdist's noexec option does not skip PIE executables. This diff fixes
that by also checking for ELF files of type ET_DYN. Unfortunately, this
means that shared library files will now also be skipped if they have
execute permissions (but on OpenBSD they usually don't).

OK?

Index: isexec.c
===================================================================
RCS file: /cvs/src/usr.bin/rdist/isexec.c,v
diff -p -u -U10 -r1.13 isexec.c
--- isexec.c	24 Oct 2021 21:24:17 -0000	1.13
+++ isexec.c	6 Aug 2025 10:47:45 -0000
@@ -48,16 +48,20 @@ isexec(char *file, struct stat *statp)
 	/*
 	 * Must be a regular file that has some executable mode bit on
 	 */
 	if (!S_ISREG(statp->st_mode) ||
 	    !(statp->st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)))
 		return(FALSE);
 
 	if ((fd = open(file, O_RDONLY)) == -1)
 		return(FALSE);
 
-	r = read(fd, &hdr, sizeof(hdr)) == sizeof(hdr) &&
-	    IS_ELF(hdr) && hdr.e_type == ET_EXEC;
+	if (read(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) {
+		close(fd);
+		return(FALSE);
+	}
+
+	r = IS_ELF(hdr) && (hdr.e_type == ET_EXEC || hdr.e_type == ET_DYN);
 	close(fd);
 
 	return (r);
 }
Index: rdist.1
===================================================================
RCS file: /cvs/src/usr.bin/rdist/rdist.1,v
diff -p -u -U10 -r1.51 rdist.1
--- rdist.1	30 Dec 2024 07:13:33 -0000	1.51
+++ rdist.1	6 Aug 2025 10:47:45 -0000
@@ -311,21 +311,21 @@ Do not check user ownership of files tha
 The file ownership is only set when the file is updated.
 .It Ic nodescend
 Do not descend into a directory.
 Normally,
 .Nm
 will recursively check directories.
 If this option is enabled, then any files listed in the file list in the
 distfile that are directories are not recursively scanned.
 Only the existence, ownership, and mode of the directory are checked.
 .It Ic noexec
-Automatically exclude executable binary files in
+Automatically exclude executable binary and shared library files in
 .Xr elf 5
 format from being checked or updated.
 .It Ic numchkgroup
 Use the numeric group ID (GID) to check group ownership instead of
 the group name.
 .It Ic numchkowner
 Use the numeric user ID (UID) to check user ownership instead of
 the user name.
 .It Ic quiet
 Quiet mode.