In a secure process, the expansion of the $ORIGIN string is allowed only if it expands to a trusted directory. The occurrence of other relative path names, poses a security risk.
A path like $ORIGIN/../lib apparently points to a fixed location, fixed by the location of the executable. However, the location is not actually fixed. A writable directory in the same file system could exploit a secure program that uses $ORIGIN.
The following example shows this possible security breach if $ORIGIN was arbitrarily expanded within a secure process.
$ cd /worldwritable/dir/in/same/fs $ mkdir bin lib $ ln $ORIGIN/bin/program bin/program $ cp ~/crooked-libc.so.1 lib/libc.so.1 $ bin/program ..... using crooked-libc.so.1 |
You can use the utility crle(1) to specify trusted directories that enable secure applications to use $ORIGIN. Administrators who use this technique should ensure that the target directories are suitably protected from malicious intrusion.