Arthur Hagen <art@broomstick.com> wrote:
>
> [great explanation about the security issue without -rpath]

Thank you very much for the explanation. I have now really understood
the problem for the first time. Indeed, I also made some experiments now,
and all experiments said that you are completely right (contradicting
some false informations which I had before).

However, how can one get a full running system where every libraray
is linked with -rpath? Most upstream projects use autotools which
unfortunately do not have a ./configue option to add the appropriate
-rpath everywhere. One might try to hack autotools, but this would
mean to modify many versions of autotools and would probably break
many projects.
Is it possible to patch binaries/libraries to include corresponding
-rpath's *after* they are created with ldd?
In this case, it might be possible to write a tool like prelink
which adds this -rpath's and let it run over your whole system
(or even better: Patch portage to run this tool after the install
phase so that also new emerges are correct and that you do not
get troubles with wrong checksums when uninstalling something.
It might even be a portage FEATURE then so that it might be
deactivated on user request or for certain packages for which you
want e.g. to care about LD_LIBRARY_PATH for some reason).

> I can't see how it would be much more work to maintain, because you
> already have to keep track of the path you install the libraries to.

If you are writing a new project without autotools, this is
certainly easy to manage. However, my problem is how to apply -rpath
to hundreds of existing projects "automatically" (i.e. without manually
modifying the build system of each single project).