Why in the world did the authors of ld.so choose a variable escape character significant to the shell?
Grumble, well, they did.
But relative runpaths can be inserted (if you try hard enough).
The Cliff's Notes version:
Code:
bin # export INT=`printf '%s' '/mnt/us/extensions/system/lib/ld-linux-armhf.so.3'`
bin # echo $INT
/mnt/us/extensions/system/lib/ld-linux-armhf.so.3
core2quad bin # patchelf --set-interpreter $INT busybox
bin # export LIB=`printf '%s' '$' 'ORIGIN/../lib' '$' 'ORIGIN/../usr/lib'`
bin # echo $LIB
$ORIGIN/../lib:$ORIGIN/../usr/lib
bin # patchelf --set-rpath $LIB busybox
====
bin # readelf -dl busybox
- - - -
Dynamic section at offset 0x13a180 contains 24 entries:
Tag Type Name/Value
0x0000001d (RUNPATH) Library runpath: [$ORIGIN/../lib:$ORIGIN/../usr/lib]
====
[root@kindle root]# echo $PATH
/mnt/us/extensions/system/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/python/bin
[root@kindle root]# LD_DEBUG=libs busybox
27571: find library=libc.so.6 [0]; searching
- - - -
27571: calling init: /mnt/us/extensions/system/bin/../lib/libc.so.6
- - - -
BusyBox v1.22.1 (2014-06-11 02:23:01 CDT) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2012.
etc.