From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 14 00:32:39 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8290016A403; Sat, 14 Oct 2006 00:32:39 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3970C43D53; Sat, 14 Oct 2006 00:32:39 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 2099B1A3C1A; Fri, 13 Oct 2006 17:32:39 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8F7B651569; Fri, 13 Oct 2006 20:32:38 -0400 (EDT) Date: Fri, 13 Oct 2006 20:32:38 -0400 From: Kris Kennaway To: Andrew Pantyukhin Message-ID: <20061014003238.GA6341@xor.obsecurity.org> References: <20061006215902.GA21109@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.2i Cc: hackers@freebsd.org, secteam@freebsd.org, Kris Kennaway Subject: Re: Tracing binaries statically linked against vulnerable libs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2006 00:32:39 -0000 --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 13, 2006 at 05:18:57PM +0400, Andrew Pantyukhin wrote: > On 10/7/06, Kris Kennaway wrote: > >On Fri, Oct 06, 2006 at 09:35:31AM +0400, Andrew Pantyukhin wrote: > >> I wonder if there is a way to deal with statically linked binaries, > >> which use vulnerable libraries. > > > >The best way is to track them down and force them all to link > >dynamically; static linking is a PITA from a systems management point > >of view :) >=20 > Do you think we could do that without a serious impact on > performance? In most of the cases I've looked at the statically linked binary is not performance critical or otherwise necessary (the only exception I saw is for some tripwire-like port whose name I forget, which is statically linked as a security enhancement, to make it lease easily subverted). Static linking can be made an OPTION if someone thinks it's really necessary for a given port. > I know Gentoo has this Prelink feature > (http://www.gentoo.org/doc/en/prelink-howto.xml) which > helps with performance, but looks like a hack. >=20 > Anyway, maybe portmgr could issue some kind of a policy > about this. I.e. (1) use {build,run}_depends instead of lib_ > when you depend on a port providing both shared and > static libraries, but link statically; (2) make an effort to > encourage dynamic linking - try to provide only shared > libs in new ports, remove unused static ones from old > ones, and so on. (1) is just a statement of correct behaviour, no need for a policy about it (it could be clarified in the porters handbook if needed). (2) could also be added to the porter's handbook as a recommendation- I don't think we need a formal proclamation of policy about it. Kris P.S. I can provide a list of static binaries in ports if anyone wants to work on fixing them. --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFMDAlWry0BWjoQKURAln6AKCUOVI/zR2GbYsg7DIs5sPCd+MOUQCgoabX Y2bvuWGudlnKpR3pYTHC+xI= =sgqC -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv--