From owner-freebsd-security Tue Apr 21 22:05:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA13809 for freebsd-security-outgoing; Tue, 21 Apr 1998 22:05:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA13782 for ; Wed, 22 Apr 1998 05:04:55 GMT (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id NAA01624 for ; Wed, 22 Apr 1998 13:04:36 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199804220504.NAA01624@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Using MD5 insted of DES for passwd ecnryption In-reply-to: Your message of "Tue, 21 Apr 1998 14:14:37 -0400." <199804211814.OAA23669@brain.zeus.leitch.com> Date: Wed, 22 Apr 1998 13:04:35 +0800 From: Peter Wemm Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Greg A. Woods wrote: > [ On Tue, April 21, 1998 at 09:35:41 (-0700), Mike Smith wrote: ] > > Subject: Re: Using MD5 insted of DES for passwd ecnryption > > > > > I think it should always be possible to statically link the whole system > > > if one so desires. That's the one sure way to test if shared libraries > > > are causing any weirdness. > > > > How are you supposed to load arbitrary (possibly third-party) > > authentication modules if you have to have the source at build time? > > That's stupid. > > Maybe not the source, but at minimum the objects. Any method of > run-time control over password encryption schemes should permit all > available schemes to be statically linked simultaneously into the > relevant binaries such that a run-time "switch" can select amongst those > that were available at link time. Naturally adding more schemes > requires re-linking -- but that's neither surprising, nor upsetting. And what happens when you've got some static 3rd party binary that you can't relink, and you use a different encryption system locally? (eg: the chained secureware (as used in SCO etc) des hash method). Distributing statically linked binaries has to be strongly discouraged since it prevents things like libc bug fixes (eg: res_send() being adjusted to use poll() or large a fd_set with select() and so on). Anyway, static linking should be supported still, but what I suggested earlier is that we will have to start doing variaions on the library builds... ie: different version of libcrypt for static and dynamic mode. The static libcrypt would have the encryption/hash methods compiled in, while the dynamic version may instead be a runtime switch routine using dlopen(). Somebody (Mark?) raised the possibility of using dlopen() from within a static binary. This is "difficult" because: 1: I believe ld.so needs to be initialized early early before the main() gets called (ie in crt0.o), so your 'static' binary still uses ld.so. 2: there are no runtime symbol tables.. the md5.so routine could not make libc calls as there would not be a dynamic libc. It'd have to have things like strcmp() etc all linked in to the .so from libc_pic.a This isn't a huge problem, but adds complications. You can't safely have md5.so dynamically linked to libc.so.x.x for strcmp since that brings along malloc etc and two mallocs in the same program space (if both are active) is pretty deadly and asking for trouble. 3: ld already has a -Bforcedynamic mode to generate the necessary glue for running ld.so from binaries that don't have any shared library dependencies. All that is needed is that you need to tell gcc to link with crt0.o (the one that opens ld.so) and use -Bforcedynamic and explicitly link with static libraries and you've got a 100% static linked binary that calls ld.so at startup (which doesn nothing yet) and you can later call dlopen(). Obviously crt0.o will need to look elsewhere in case /usr/libexec/ld.so isn't available. Some gcc LINK_SPEC mods might be enough. FWIW, I'm a little amazed at the paranoia about dynamic linking. I have *never* *ever* "lost" or damaged ld.so except through stupidity (made a mistake with a source change and caused an undefined symbol). I have never lost or damaged libc.so except through stupidity (again, generally through normal development accidents with undefined symbols). I have also rendered my system "cactus" by loosing /dev/console, the entire /dev directory, damaging /sbin/init and /sbin/sh, misakes in /etc/rc and so on. ld.so and libc.so have been the *least* of my problems. I can understand the concern of people coming from systems with less robust VM systems, but we've had a system where the executable activation and mmap() etc have been pretty much unified and have been quite been solid since 2.0.5 days. I can't ever recall a situation where ld.so was unable to be successfully mmap'ed while executables themselves were loadable. > -- > Greg A. Woods > > +1 416 443-1734 VE3TCP > Planix, Inc. ; Secrets of the Weird Cheers, -Peter -- Peter Wemm Netplex Consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message