From: Tim van der Molen <tim@kariliq.nl>
Subject: Re: rdist: fix noexec option
To: tech@openbsd.org
Date: Sun, 24 Aug 2025 14:37:22 +0200

Tim van der Molen (2025-08-06 13:33 +0200):
> rdist's noexec option does not skip PIE executables. This diff fixes
> that by also checking for ELF files of type ET_DYN. Unfortunately, this
> means that shared library files will now also be skipped if they have
> execute permissions (but on OpenBSD they usually don't).
> 
> OK?

Ping

> Index: isexec.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/rdist/isexec.c,v
> diff -p -u -U10 -r1.13 isexec.c
> --- isexec.c	24 Oct 2021 21:24:17 -0000	1.13
> +++ isexec.c	6 Aug 2025 10:47:45 -0000
> @@ -48,16 +48,20 @@ isexec(char *file, struct stat *statp)
>  	/*
>  	 * Must be a regular file that has some executable mode bit on
>  	 */
>  	if (!S_ISREG(statp->st_mode) ||
>  	    !(statp->st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)))
>  		return(FALSE);
>  
>  	if ((fd = open(file, O_RDONLY)) == -1)
>  		return(FALSE);
>  
> -	r = read(fd, &hdr, sizeof(hdr)) == sizeof(hdr) &&
> -	    IS_ELF(hdr) && hdr.e_type == ET_EXEC;
> +	if (read(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) {
> +		close(fd);
> +		return(FALSE);
> +	}
> +
> +	r = IS_ELF(hdr) && (hdr.e_type == ET_EXEC || hdr.e_type == ET_DYN);
>  	close(fd);
>  
>  	return (r);
>  }
> Index: rdist.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/rdist/rdist.1,v
> diff -p -u -U10 -r1.51 rdist.1
> --- rdist.1	30 Dec 2024 07:13:33 -0000	1.51
> +++ rdist.1	6 Aug 2025 10:47:45 -0000
> @@ -311,21 +311,21 @@ Do not check user ownership of files tha
>  The file ownership is only set when the file is updated.
>  .It Ic nodescend
>  Do not descend into a directory.
>  Normally,
>  .Nm
>  will recursively check directories.
>  If this option is enabled, then any files listed in the file list in the
>  distfile that are directories are not recursively scanned.
>  Only the existence, ownership, and mode of the directory are checked.
>  .It Ic noexec
> -Automatically exclude executable binary files in
> +Automatically exclude executable binary and shared library files in
>  .Xr elf 5
>  format from being checked or updated.
>  .It Ic numchkgroup
>  Use the numeric group ID (GID) to check group ownership instead of
>  the group name.
>  .It Ic numchkowner
>  Use the numeric user ID (UID) to check user ownership instead of
>  the user name.
>  .It Ic quiet
>  Quiet mode.
>