static compiling bind 8.2.2 P5 on linux

Luigi P. Bai lpb at focalpoint.com
Wed Mar 29 16:31:07 UTC 2000 

Wouldn't you end up with the same bugs whether you linked statically or 
dynamically? I mean, after all, it's the same source code in the clib.

I was able to set up the chroot jail for Linux by only copying over the 
shared library, and starting up named with the -u -g -t options. The clib 
has all the resolver stuff in it that is needed; I haven't had to copy any 
ld.so or other glue stuff in there (I guess that's because I don't start it 
with "chroot ... named"; I instead count on the named code to do the right 
thing with chroot).

The security hole you are worried about (with dynamic libs) is: someone can 
cause a trapdoor by writing over the lib while the executable is running. 
But  if they can do that, then someone can overwrite your static named 
executable, or static named-xfer, or your named.conf (removing acls and 
allowing dynupdates), etc. I think that if there's a bug in gets() then 
it's in both the static and dynamic libraries.


At 12:53 AM 3/29/00 , Jim Reid wrote:
--- Begin Original Message ---
>Well if you add the shared C library to the chroot jail, any holes in
>that library become available to the processes running in the
>chroot'ed environment. [Think gets().] And you usually have to add a
>bunch of other files so that the shared library can be mmap()ed into
>the chroot'ed processes. This is a pain and theoretically makes things
>less secure. The more files that get put in the chroot jail, the
>higher the chances that you introduce something that has or causes a
>security hole. A minimal environment should be provided in a chroot
>jail. Providing shared libraries there can be a step too far.
--- End Original Message ---
--SIG--------------------------------------------------------
<A HREF="http://www.focalpoint.com/">Home Page</A>
education is what's left after what is learned is forgotten.
                                               -- b f skinner
Luigi P. Bai                             Focal Point Software, Inc.
lpb at focalpoint.com                 1225 N. Loop 610 W., Suite 214
turning data into information      Houston, TX   77008-1757
                                               (713) 215-1612

More information about the bind-users mailing list