Results 1 to 7 of 7

Thread: Limiting a library to a single program

  1. #1

    Default Limiting a library to a single program

    Before I ask this question, let me state that I understand the security implications of what I'm trying to do. Comments to the effect of "Don't do that," or "Find another program," are not helpful. Thanks.

    Bottom line: I need to make the claws-mail "Fancy" plugin available to users of Leap 15. The problem is that the plugin requires webkitgtk, which was removed from Leap as of 15.0. And, for the record, the "Dillo" plugin is not a solution to the problem I'm trying to solve here.

    That said, webkitgtk was dropped for valid security reasons, so I don't want to just build and install it where any program could make use of it. So what I'm thinking is that I'd like to build webkitgtk, claws, and its plugins in such a fashion that nothing else can use the library.

    Can I do this simply by building and installing webkitgtk to a non-standard location and then pointing my claws build to that location through manipulation of the library path? Or is there a better way to accomplish what I'm trying to do?

    Advice and pointers highly appreciated.

  2. #2
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Limiting a library to a single program

    first off I'm not a programmer so I could be wrong (but I don't think so)
    I think you can do this more or less on your own
    get the webkitgtk+ source code and compile it as a static library, then link your program to that static library the resulting binary will not be dependent on the presence or lack there of webkitgtk+ shared objects

  3. #3

    Default Re: Limiting a library to a single program

    I have not played with apparmour much, but could you build a "fence" around it with that?
    I don’t have anything to hide, but I don’t have anything I want to show you either.

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,497
    Blog Entries
    3

    Default Re: Limiting a library to a single program

    Quote Originally Posted by StevenKarp View Post
    Can I do this simply by building and installing webkitgtk to a non-standard location and then pointing my claws build to that location through manipulation of the library path?
    It has been a while since I have done anything like this. So my memory may be hazy.

    You put the libraries in whatever non-standard locations you want. And then you use LD_RUN_PATH to identify those locations. And, if I remember correctly, the program that you compile that way will have that path information encoded in control information, so that they will automatically know where to find the libraries.

    Note, however, that anybody could still access those libraries by using LD_LIBRARY_PATH. I don't think that's a big problem. If they try that with an "suid" program (a privileged program), then I think it drops its privileges if an LD_LIBRARY_PATH is specified. But, again, I'm quite rusty on the details of this, so best that you read up on it.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Limiting a library to a single program

    well I don't know how you are planing on redistributing your binary but webkitgtk is still available for LEAP 15 from several user repo's
    https://software.opensuse.org/package/webkitgtk
    if you're planning on hosting your plugin on obs you can simply fork webkitgtk from one of those repo's and have your users install it from your repo and obviously have the shared objects installed system wide (you said you don't want this)
    or you could do as nrickert suggested and put the so's in the same directory (or a subdir) of your plugin
    or do the difficult route and statically link your plugin to webkitgtk
    I'm not sure what security issues webkitgtk has or why it was pulled from opensuse
    I see that webkitgtk3 is available for TW in the Gnome:Next repo it may have those issues fixed so maybe an update of your code to webkitgtk3 is a solution (you'd still need to host the rpm's)
    https://software.opensuse.org/package/webkitgtk3
    in the end it's your choice none of us will tell you what to do

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,143
    Blog Entries
    2

    Default Re: Limiting a library to a single program

    Recommend you submit an urgent "feature request" to https://bugzilla.opensuse.org

    A fixed webkitgtk has been released
    https://webkitgtk.org/2018/06/12/web...-released.html

    Although I posted a recommended alternative to webkitgtk in another forum thread recently, implementing that would require recoding apps.

    This updated and patched webkitgtk should be much less painful as a likely drop-in replacement for the old webkitgtk.

    BTW - Your Fancy plugin hasn't been updated since 2008/2009...
    https://github.com/mpollmeier/claws-...ree/gtk2/fancy

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: Limiting a library to a single program

    Thank you all for the advice.

    I should have been more specific in one respect: the plugin depends on libwebkitgtk-1.0-0, so updated webkitgtk releases aren't going to help. Nor is a feature request--the library was intentionally removed from Leap (and every other major distribution).

    And yes, I'm aware the plugin hasn't been updated in years. That's the problem. It will supposedly be addressed as part of Claws' migration to GTK3, but that's not exactly a fast-tracked project.

    I'm going to follow nrickert's path advice, after a bit more reading.

    Thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •