bind-9 and static
Dave Wreski
dave at nic.com
Thu Sep 21 04:20:31 UTC 2000
> > Yes, I understood that. I agree the overhead wasn't exactly a desired
> > effect. I was interested in learning more about it as well as thinking
> > that thinking that since it would be running as an unprivilged user the
> > likelyhood of installing an suid or other potential avenue for exploit
> > would be reduced. (I also understand that it would probably be just as
> > easy for the cracker to bring his own libc with him...)
> >
> Never take an executable that has not been designed for suid
> operation and set the suid bit. Static vs dynamic linking
> won't make a difference to the potential vunerabilities caused
> by doing this.
Whoa, for clarification, I never meant my comments above to even remotely
imply I would arbitrarily be adding suid to a binary!
> For named-xfer to run in the chroot jail it needs to have the
> shared libraries in the jail as well. If you statically link
> it there are less things you have to put in the jail for it to
> work.
Yes, and when I built the bind-8.2.2p5 SRPM back in like March, I
statically-compiled named-xfer as well ;)
Thanks again,
Dave
More information about the bind-users
mailing list