[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] correct installation of mod_dontdothat

From: Peter Samuelson <peter_at_p12n.org>
Date: Wed, 6 Mar 2013 17:06:48 -0600

> > That reminds me. We really should be installing Apache modules with
> > 'libtool --mode=install', because on some platforms that is _not_ just
> > a simple copy like you'd expect; sometimes it has to do other things.

[Philip Martin]
> We currently use Apache's apxs to install mod_dav_svn and
> mod_authz_svn and we leave it up to that script to invoke libtool as
> required.

Yes, well, how would apxs know anything about libtool? apxs just knows
there's a module at such-and-such path and it needs to be installed.

> Are you saying we should explictly invoke libtool? Does apxs do the
> wrong thing?

It certainly does the wrong thing in my Debian build, so I've had to
patch it to use 'libtool --mode=install' instead / in addition.

Say you build svn in /tmp/xyz. Then in order to make sure you can
_run_ your stuff without installing, at least on some platforms,
libtool arranges for executables and libraries to include all sorts of
paths like /tmp/xyz/subversion/libsvn_client in the default library
search path baked into the executable. (This is called the RPATH and
you can view it with 'objdump -p'.) When you 'make install', libtool
then _relinks_ everything to remove those RPATH references to /tmp/xyz.

This actually has security implications. If you build svn in /tmp/xyz,
install it system-wide, and a malicious user later creates their own
/tmp/xyz/subversion/libsvn_client with a trojaned library ... you don't
want the system svn to actually _use_ it.

Received on 2013-03-07 00:08:38 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.