From owner-freebsd-security  Wed Jun 26 21:56:49 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.deltanet.com (mail.deltanet.com [216.237.144.132])
	by hub.freebsd.org (Postfix) with ESMTP id 9961D37B400
	for <security@FreeBSD.ORG>; Wed, 26 Jun 2002 21:56:42 -0700 (PDT)
Received: from mammoth.eat.frenchfries.net (da001d0875.lax-ca.osd.concentric.net [64.0.147.108])
	by mail.deltanet.com (8.11.6/8.11.6) with ESMTP id g5R4WAO14107
	for <security@FreeBSD.ORG>; Wed, 26 Jun 2002 21:32:11 -0700
Received: by mammoth.eat.frenchfries.net (Postfix, from userid 1000)
	id 9F39450A4; Wed, 26 Jun 2002 21:55:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mammoth.eat.frenchfries.net (Postfix) with ESMTP
	id 9C8784DC5; Wed, 26 Jun 2002 21:55:11 -0700 (PDT)
Date: Wed, 26 Jun 2002 21:55:11 -0700 (PDT)
From: Paul Herman <pherman@frenchfries.net>
X-X-Sender: pherman@mammoth.eat.frenchfries.net
To: Roger Marquis <marquis@roble.com>
Cc: security@FreeBSD.ORG
Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv)
In-Reply-To: <20020626183519.F36946-100000@roble.com>
Message-ID: <20020626213923.M86130-100000@mammoth.eat.frenchfries.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 26 Jun 2002, Roger Marquis wrote:

> Robert Watson wrote:
> >You will catch most applications simply by rebuilding libc and
> >reinstalling.  Unfortunately, some applications are statically linked, and
> >they must be individually relinked against the new libc and reinstalled.
>
> This makes a good case for doing away with static linking of system
> binaries.

No, the ease of administration makes a good case for doing away
with static linking, security doesn't.

From a security perspective, there are some disadvantages of
dynamic libraries.  Although it's not new to use LD_PRELOAD to use
to a hackers advantage, right now I'm thinking of the BUGTRAQ "ssh
environment" article but there are certainly other applications.

Switching completely to either static OR shared libraries will not
necessarily improve your security.  Both have pros and cons.

-Paul.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message