[rescue] SGI fw_sshd and security
Jonathan C. Patschke
jp at celestrion.net
Sun Mar 7 03:20:39 CST 2004
On Sat, 6 Mar 2004, Meelis Roos wrote:
> We had a discussion at $WORK some days ago about whether to link zlib
> dynamically or statically. We decided to load it dynamically because of
> _security reasons_ - when a security bug was found in zlib, it was a
> pain in the ass to recompile every binary that linked zlib statically
> and on some machines some binaries were probably still left vulnerable.
Look at it from the other way. What if someone finds a way to overwrite
libwrap.so with a trojaned one by use of a local exploit? Keep in mind
that most code that uses libwrap.so tends to also have root privileges
and be associated with a network connection.
Security-conscious code like that should be statically-linked. Period.
Updating software is a PITA, sure, but a list of everything that uses
libwrap.a is pretty easy to maintain.
Jonathan Patschke ) "Being on the Internet is not the same as being
Elgin, TX ( famous. That's like calling Cheetos 'dinner'."
USA ) --Metal Steve
More information about the rescue