In computing, rpath designates the run-time search path hard-coded in an executable file or library. Dynamic linking loaders use the rpath to find required libraries. Specifically, it encodes a path to shared libraries into the header of an executable (or another shared library). This RPATH header value (so named in the Executable and Linkable Format header standards) may either override or supplement the system default dynamic linking search paths. The rpath of an executable or shared library is an optional entry in the section of the ELF executable or shared libraries, with the type , called the attribute. It can be stored there at link time by the linker. Tools such as and can create or modify the entry later.

Use of the DT_RPATH entry by the dynamic linker

The different dynamic linkers for ELF implement the use of the attribute in different ways.

GNU ld.so

The dynamic linker of the GNU C Library searches for shared libraries in the following locations in order: Failing to find the shared library in all these locations will raise the "cannot open shared object file: No such file or directory" error. Notes:

The role of GNU ld

The GNU Linker (GNU ld) implements a feature which it calls "new-dtags", which can be used to insert an rpath that has lower precedence than the environment variable. If the new-dtags feature is enabled in the linker, GNU , besides setting the attribute, also sets the attribute to the same string. At run time, if the dynamic linker finds a attribute, it ignores the value of the attribute, with the effect that is checked first and the paths in the attribute are only searched afterwards. The ld dynamic linker does not search locations for transitive dependencies, unlike. Instead of specifying the to the linker, the environment variable can be set to the same effect.

Solaris ld.so

The dynamic linker of Solaris, specifically of SunOS 5.8 and similar systems looks for libraries in the directories specified in the LD_LIBRARY_PATH variable before looking at the attribute. Sun Microsystems was the first to introduce dynamic library loading. Sun later added the rpath option to ld and used it in essential libraries as an added security feature. GNU ld did the same to support Sun-style dynamic libraries.

Example

In this example, GNU or Sun ld (ld.so) will REFUSE to load termcap for a program needing it unless the file is in and named. LD_LIBRARY_PATH is ignored. If is removed to remediate, the shell dies (one cannot load an alternate and a rescue disk is needed, but also if a new has RPATH /lib, ld.so will refuse to use to load it unless it clobbered ). But there's another issue: it isn't safe to copy over some libs in as they are "in use," further restricting the would-be lib tester. Furthermore, SONAME termcap.so.4 vs. SONAME termcap.so means programs needing basic are denied because the library above deleted the ABI access to basic support. Old Linux/Sun used the above, which allows a user to direct any program to use any they specify in LD_LIBRARY_PATH, or what is found in /usr/local/lib(n) using the search rules such as. However, GNU ld always uses or regardless before LD_LIBRARY_PATH, so first is moved to and that mentioned in , which enables use of moving and or use of LD_LIBRARY_PATH to use. A preferred practice is to use "SONAME termcap.so" and have programs check version (all libs do support that) to use features available, but that was often skipped in old releases due to slow computing speed and lack of time to code correctly. That being said, test this kind of thing thoroughly on a given platform before deciding to rely on it. Release administrators today are not guaranteed to respect past guidelines or documentation. Some UNIX varieties link and load in a completely different way. rpath is specific to ld shipped with a particular distribution. Lastly, as said, rpath is a security feature however "mandatory access control" (MAC) and other techniques can be as effective or more effective than rpath to control lib reading and writing. Control over rpath using today's compilers is often nearly impossible given lengthy and convoluted make(1) scripting. Worse, some build scripts ignore—disable-rpath even though they present it as an option. It would be time-consuming and frustrating, and probably unfeasible, to fix build scripting in every odd program to compile. A simple sh(1) "wrapper" can call the real ld, named ld.bin. The wrapper can filter in/out -rpath option before invoking ld. However, note that some builds incorrectly use rpath instead of rpath-link or LD_LIBRARY_PATH or $(TOP)/dir/foo.so to locate intermediate products that stay in the build directory - thus backwardly demand rpath in the final product, which is a new issue concerning "what is rpath".

Security considerations

The use of rpath and also runpath can present security risks where the value applied includes directories under an attacker's control. This can include cases where the value defined explicitly references an attacker writable location but also instances where a relative path is used, either through the presence of. or .., via $ORIGIN etc or where a directory statement is left unpopulated. In particular, this can allow for setUID binaries to be exploited, where an insecure path is used. This can be leveraged to trick the binary into loading malicious libraries from one or other of the directories under an attacker's control.