2

The problem is ELF shared libraries and normal executables don't differ at all if you look at their ELF headers. On my Linux machine(Debian 11.4) even e_type field of the ELF header is set to shared object file as ht utility reports even when the file in consideration is an ELF executable. It looked like the only easy and reliable method to differ ELF executable files from ELF shared libraries, and for some reason GCC fills out e_type field only with this value. Nevertheless, file(1) utility can accurately tell me if the input file I give to her is an executable or shared library.

The first answer to this question suggests that the file(1)'s code should look for PT_INTERP program header: distinguish shared objects from position independent executables

This sounds reasonable because all shared libraries get loaded after the executable file is loaded in first place, so they don't need to load interpreter one more time because a normal executable would already have done it.

Also I found this in file(1) source code when I was looking how magic.mgc file is compiled:

0   name        elf-le
>16 leshort     0       no file type,
!:mime  application/octet-stream
>16 leshort     1       relocatable,
!:mime  application/x-object
>16 leshort     2       executable,
!:mime  application/x-executable
>16 leshort     3       ${x?pie executable:shared object},

and I cannot understand what the last line means but it seems I can find an answer to my question if I understand this.

CurtisB
  • 35
  • 3
  • On Debian 10.8 docker image `file /bin/dash` says `/bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=486323dd0fe3ec5af388e4ea4217a1f0092961d2, stripped`, what version are you using? – Arkadiusz Drabczyk Sep 20 '22 at 19:20
  • Debian 11.4, _file /bin/dash_ reports it as a _ELF 64-bit LSB pie executable_ – CurtisB Sep 20 '22 at 19:38

2 Answers2

0
>16 leshort     3       ${x?pie executable:shared object},

This means "look at a 2-byte little endian word at offset 16 of the file. If it has the value '3' then check if the file is executable or not (permissions bit). If it is, the type is 'pie executable', otherwise it is 'shared object'"

You can look at the magic(5) man page for info about this syntax.

Chris Dodd
  • 119,907
  • 13
  • 134
  • 226
  • 1
    chmod'ing a random library with a+x doesn't change my output. _file_ still thinks this a shared library – CurtisB Sep 20 '22 at 19:39
  • It's probably not using the magic file you think it is -- use `file -d `... to see the actual tests it is doing. Look for lines that end with " = 1" for tests that match (all the lines ending with " = 0" are tests it tried that don't match). – Chris Dodd Sep 20 '22 at 20:13
  • This answer is _probably_ partially wrong: I just did `chmod -x ./pie` and `file ./pie` still says it's a `pie executable`, despite `-rw-r----` permissions. – Employed Russian Sep 21 '22 at 02:50
0

Since commit 03084b161cf8, file(1) uses DF_1_PIE flag from FLAGS_1 entry of an ELF file's Dynamic section to adjust the executable bit, so the behavior depends on the distribution's version of file(1) utility. Also, between commits d653309de04e and 483e7d8f1a5c all dynamic ELF files were identified as shared objects by mistake I believe.

xzz
  • 1
  • 1