Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a point is being missed

From: mcn () EnGarde com (Mike Neuman)
Date: Wed, 8 Nov 1995 10:35:35 -0600

Casper Dik <casper () holland sun com> wrote:


I have not yet seen any good arguments against dynamic linking.
Environment variables and other environmentel tricks have always been
possible in Unix.


  I don't quite understand this argument. "Sure login is a gaping security
hole, but we're not going to fix it because OTHER programs are gaping security
holes too!" If you haven't seen a good argument against dynamic linking, read
the telnet vulnerability again. The way Sun chose to fix it is a big hack (the
PASSENV_ thing, as well as ignored LD_*, IFS, and no-doubt undocumented
others) Hacks are *NOT* the way to write good secure code!

  Unfortunately, I think we're stuck with this dynamic linking propoganda from
Sun. There are lots of nice side effects of dynamic linking (consistant ABIs,
easy upgradability, etc). In fact, supposedly this is the reason Sun made the
switch to System V from the far superior BSD-based SunOS. (Hey, if Sun can
force their propoganda down our throats, I can at least give my opinion) :-)

  If you'd like the full doctrine of Sun regardling dynamic linking, see
_Expert_C_Programming_, Peter Van der Linden, SunSoft Press, ISBN
0-13-177429-8 pp 114-121.

-Mike
mcn () EnGarde com
http://www.engarde.com/~mcn
Previous By Date Next
Previous By Thread Next

Current thread: