Bugtraq mailing list archives
Re: a point is being missed
From: scott () Disclosure COM (Scott Barman)
Date: Fri, 3 Nov 1995 17:40:47 -0500
On Fri, 3 Nov 1995, *Hobbit* wrote:
Why in all this telnetd flap has nobody mentioned that /bin/login should be relinked STATICALLY? That at least defers the LD_* class of problem until after login has done the setuid and exec, but still leaves things like IFS passed to scripts. Still, my own rule of thumb is that any binary that talks to the net, handles inbound connections, handles authentication, etc ... should not be depending on shared libs. It's well worth the miniscule disk space hit. Vendors, LISSEN UP.
I agree 100%. However, have you ever tried to do that under Solaris 2.4? I once convinced a client to build a firewall with SunOS 4.1.4 rather than Solaris 2 because we couldn't statically link with many of the libraries (e.g., there is no static -lresolv and in -lnsl one of the gethost* or get-something functions is not compiled correctly in the static version of the library). I also haven't seen a patch from Sun that would fix this, either. With 2.5 a few days away, and since I am not a beta tester, I was wondering if someone knew if this was fix? TIA scott barman -- scott barman DISCLAIMER: I speak to anyone who will listen, scott () disclosure com and I speak only for myself. barman () ix netcom com "I don't know if security explains why the Win95 support Web servers run BSDI 2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is the ideal Web software solution. Does Redmond know something we don't know?" -Robert X. Cringely, INFORWORLD, 9/11/95
Current thread:
- SGI Security Advisory 19951101 - telnetd, (continued)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Telnet attack on SGI Adam Shostack (Nov 02)
- Does the shared lib bug work on any suid program ? Bernd Lehle (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)
- Re: a point is being missed Douglas Siebert (Nov 03)
- Re: a point is being missed Richard Todd (Nov 04)
- Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
- Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)
- Re: Telnet attack on SGI Casper Dik (Nov 06)
- Re: Telnet attack on SGI Adrian (Nov 03)
- Re: Telnet attack on SGI Sam Hartman (Nov 03)
(Thread continues...)