[rescue] SGI fw_sshd and security

Jonathan C. Patschke jp at celestrion.net
Sun Mar 7 03:20:39 CST 2004

On Sat, 6 Mar 2004, Meelis Roos wrote:

> We had a discussion at $WORK some days ago about whether to link zlib
> dynamically or statically. We decided to load it dynamically because of
> _security reasons_ - when a security bug was found in zlib, it was a
> pain in the ass to recompile every binary that linked zlib statically
> and on some machines some binaries were probably still left vulnerable.

Look at it from the other way.  What if someone finds a way to overwrite
libwrap.so with a trojaned one by use of a local exploit?  Keep in mind
that most code that uses libwrap.so tends to also have root privileges
and be associated with a network connection.

Security-conscious code like that should be statically-linked.  Period.
Updating software is a PITA, sure, but a list of everything that uses
libwrap.a is pretty easy to maintain.

Jonathan Patschke  ) "Being on the Internet is not the same as being
Elgin, TX         (   famous.  That's like calling Cheetos 'dinner'."
USA                )                                    --Metal Steve

More information about the rescue mailing list