ldd.1: Add more detail on ldd security implications, noting glibc 2.27 changes

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2017-08-25 00:36:27 +02:00 · 2017-08-25 00:36:27 +02:00 · e5486b10fa
parent 36454047ec
commit e5486b10fa
1 changed files with 10 additions and 3 deletions
--- a/man1/ldd.1
+++ b/man1/ldd.1
@ -75,14 +75,21 @@ Be aware that in some circumstances
 some versions of
 .BR ldd
 may attempt to obtain the dependency information
-by attempting to directly execute the program
-(which may lead to the execution of whatever code is defined
+by attempting to directly execute the program,
+which may lead to the execution of whatever code is defined
 in the program's ELF interpreter,
-and perhaps to execution of the program itself).
+and perhaps to execution of the program itself.
 .\" Mainline glibc's ldd allows this possibility (the line
 .\"      try_trace "$file"
 .\" in glibc 2.15, for example), but many distro versions of
 .\" ldd seem to remove that code path from the script.
+(Until glibc version 2.27,
+ .\" glibc commit eedca9772e99c72ab4c3c34e43cc764250aa3e3c
+the upstream
+.B ldd
+implementation did this for example,
+although most distributions provided a modified version that did not.)
+.PP
 Thus, you should
 .I never
 employ