[gmx-developers] cmake build of gromacs 4.5.5 problem

Szilárd Páll szilard.pall at cbr.su.se
Sat Jun 11 19:56:43 CEST 2011


Hi,

Just to report back on what I learned from some CMake folks at their
mailing list. The colons are essentially placeholders that are meant
to provide enough space for the binaries to be patched, but not
entirely relinked - a process which can be quite time consuming. So
the amount of colons is essentially equal with the number of
characters the install binary's RPATH needs to be compared to the
RPATH of the in-build-tree binary.

This mechanism can be turned off by setting
CMAKE_NO_BUILTIN_CHRPATH=ON, case in which complete relinking would be
done.

--
Szilárd



On Thu, Jun 2, 2011 at 12:37 PM, Szilárd Páll <szilard.pall at cbr.su.se> wrote:
>> Technically, I think that's a security flaw. It allows the execution of
>> arbitrary user code. A few years ago we had a security type ask us to fix
>> something in GMXRC along these lines.
>
> Yes, technically it is, I do remember the report as well. However this
> seems to happen *only* to binaries in the build tree with hardcoded
> build-tree paths in their RPATH such that one can run the binaries
> from the build tree. So one would be silly to manually copy out and
> use those binaries. Also, if you are already run from your build tree
> a binary you just built it's not very diffiucult to execute arbitrary
> user code: just modify the source code and recompile! :)
>
> --
> Szilárd
>



More information about the gromacs.org_gmx-developers mailing list