Permissions for shared libraries in Kerberos
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Nov 18 11:31:00 EST 2020
I have been working on packaging up our Kerberos code into a RPM (to upgrade
our ancient dusty old Kerberos RPMs), and I had been running into a problem
where shared library dependencies were not being processed properly.
More specifically, the executables were saying, "hey, I depend on
libkrb5.so(FOO)", but the RPM wouldn't ever figure out the shared
library PROVIDED "libkrb5.so(FOO)", so you'd get a bunch of unresolved
dependencies. We had this same problem with our ancient old dusty
Kerberos RPMs, but I wanted to fix this correctly for once.
Fast forward a distressingly large number of late-night hours later digging
into the guts of RPM, the reason for this is simple. The automatic dependency
scripts only extract symbols from shared libraries if they have the execute
bit set, and MIT Kerberos installs all of the shared libraries as mode 644.
So, this made me wonder ... why?
Regarding the mode bits on shared libraries, everyone seems to agree
that the execute bit for shared libraries on HP/UX _has_ to be set. But
for all other Unixes, it seems to kind of optional. A quick
informal survey seems to indicate that having the execute bit set
on shared libraries is relatively common, and the people who wrote
RPM sure expected that to be the case.
I was curious what libtool does, and it seems to use the install program
which at least on the systems I have access to defaults to mode 755.
If you install a static library, it looks like libtool defaults to
mode 644.
I'm wondering if Kerberos should simply default to installing shared
libraries as mode 755/555 everywhere, unless there is a reason to do
otherwise.
--Ken
More information about the krbdev
mailing list