Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 Nov 2003 21:16:37 +0000 (GMT)
From:      "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
To:        Scott Long <scottl@freebsd.org>
Cc:        "M. Warner Losh" <imp@bsdimp.com>
Subject:   Re: Unfortunate dynamic linking for everything
Message-ID:  <Pine.LNX.4.44.0311192110020.3227-100000@a.mx.ict1.everquick.net>
In-Reply-To: <20031118164905.R35009@pooker.samsco.home>
next in thread | previous in thread | raw e-mail | index | archive | help 

SL> Date: Tue, 18 Nov 2003 17:06:06 -0700 (MST)
SL> From: Scott Long

SL> 3.  Binary security updates: there is a lot of interest in providing a
SL>     binary update mechanism for doing security updates.  Having a dynamic
SL>     root means that vulnerable libraries can be updated without having to
SL>     update all of the static binaries that might use them.

Although this doesn't help the upgrade process, what if one
symbol (such as function name + CVS tag) were exported per
function?  One could check for a vulnerability by strings | grep
funcname | inspect CVS tag.  A more elegant approach would be to
store such versioning in another segment and have a tool that
understands the data, a la debugger symbols.

On a different note:

+ Some of us have had a few bad experiences with glibc (granted,
  it's glibc) upgrades when the shell, cp, ls, et cetera are
  dynamically linked.

+ I put the shell of choice and all of SSH's guts on the root
  partition... if /usr gets clobbered, I still want to be able
  to boot and log in remotely.  If / gets clobbered, I have
  bigger problems. :-)


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
          DO NOT send mail to the following addresses :
  blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net
Sending mail to spambait addresses is a great way to get blocked.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0311192110020.3227-100000>