static compiling bind 8.2.2 P5 on linux
Luigi P. Bai
lpb at focalpoint.com
Wed Mar 29 16:31:07 UTC 2000
Wouldn't you end up with the same bugs whether you linked statically or
dynamically? I mean, after all, it's the same source code in the clib.
I was able to set up the chroot jail for Linux by only copying over the
shared library, and starting up named with the -u -g -t options. The clib
has all the resolver stuff in it that is needed; I haven't had to copy any
ld.so or other glue stuff in there (I guess that's because I don't start it
with "chroot ... named"; I instead count on the named code to do the right
thing with chroot).
The security hole you are worried about (with dynamic libs) is: someone can
cause a trapdoor by writing over the lib while the executable is running.
But if they can do that, then someone can overwrite your static named
executable, or static named-xfer, or your named.conf (removing acls and
allowing dynupdates), etc. I think that if there's a bug in gets() then
it's in both the static and dynamic libraries.
At 12:53 AM 3/29/00 , Jim Reid wrote:
--- Begin Original Message ---
>Well if you add the shared C library to the chroot jail, any holes in
>that library become available to the processes running in the
>chroot'ed environment. [Think gets().] And you usually have to add a
>bunch of other files so that the shared library can be mmap()ed into
>the chroot'ed processes. This is a pain and theoretically makes things
>less secure. The more files that get put in the chroot jail, the
>higher the chances that you introduce something that has or causes a
>security hole. A minimal environment should be provided in a chroot
>jail. Providing shared libraries there can be a step too far.
--- End Original Message ---
--SIG--------------------------------------------------------
<A HREF="http://www.focalpoint.com/">Home Page</A>
education is what's left after what is learned is forgotten.
-- b f skinner
Luigi P. Bai Focal Point Software, Inc.
lpb at focalpoint.com 1225 N. Loop 610 W., Suite 214
turning data into information Houston, TX 77008-1757
(713) 215-1612
More information about the bind-users
mailing list