Firewall Wizards mailing list archives
Re: X server in a Firewall
From: Chuck Swiger <chuck () codefab com>
Date: Fri, 27 Jan 2006 19:24:28 -0500
R. DuFresne wrote:
On Tue, 24 Jan 2006, Chuck Swiger wrote:
[ ... ]
5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6* -rw-r--r-- 1 root wheel 893K Sep 1 02:30 openssh-4.2p1.tar.gz -rw-r--r-- 1 root wheel 31M Feb 25 2005 xorg/X11R6.8.2-src1.tar.gz -rw-r--r-- 1 root wheel 3.8M Feb 25 2005 xorg/X11R6.8.2-src2.tar.gz -rw-r--r-- 1 root wheel 9.9M Feb 25 2005 xorg/X11R6.8.2-src3.tar.gzStill missing a good chuck of ssh in there, where's the openssl tarball?
"Good chuck"? :-) On the platform in question-- FreeBSD-- OpenSSL is part of the base system libraries. Zlib is optional for SSH, but would also be found from the base system libraries. The source to those would add about 2.5MB worth, and there's another 1.5MB for libc itself if you want to count that, too.
Granted not as large as the X tarballs, but, folks should never have the impression that ssh stands alone. In fact there are a few more tarballs that should be in this mix, zlib, and likely a few crypto ones as well. While still lopsided in code weight, not as lopsided as making the erros that ssh is a stand alone....
Not many binaries are completely standalone nowadays, aside for the kernel, init, and maybe /bin/sh. Most things dynamicly load libc in particular, but we can take a look at the details if you like. By my count, the # of dependent shared libraries is 5 for the SSH programs, and 46 for the baseline X11 binaries, excluding something like KDE or Gnome: % ldd -f "%p\n" /usr/bin/ssh* | sort | uniq /lib/libc.so.5 /lib/libcrypto.so.3 /lib/libssh.so.2 /lib/libutil.so.4 /lib/libz.so.2 % ldd -f "%p\n" /usr/X11R6/bin/* | sort | uniq /lib/libc.so.5 /lib/libcrypt.so.2 /lib/libm.so.3 /lib/libncurses.so.5 /lib/libutil.so.4 /lib/libz.so.2 /usr/X11R6/lib/libFS.so.6 /usr/X11R6/lib/libGL.so.1 /usr/X11R6/lib/libGLU.so.1 /usr/X11R6/lib/libICE.so.6 /usr/X11R6/lib/libSM.so.6 /usr/X11R6/lib/libX11.so.6 /usr/X11R6/lib/libXTrap.so.6 /usr/X11R6/lib/libXau.so.0 /usr/X11R6/lib/libXaw.so.8 /usr/X11R6/lib/libXcursor.so.1 /usr/X11R6/lib/libXdmcp.so.0 /usr/X11R6/lib/libXext.so.6 /usr/X11R6/lib/libXfont.so.1 /usr/X11R6/lib/libXft.so.2 /usr/X11R6/lib/libXi.so.6 /usr/X11R6/lib/libXinerama.so.1 /usr/X11R6/lib/libXmu.so.6 /usr/X11R6/lib/libXmuu.so.1 /usr/X11R6/lib/libXp.so.6 /usr/X11R6/lib/libXpm.so.4 /usr/X11R6/lib/libXrandr.so.2 /usr/X11R6/lib/libXrender.so.1 /usr/X11R6/lib/libXss.so.1 /usr/X11R6/lib/libXt.so.6 /usr/X11R6/lib/libXtst.so.6 /usr/X11R6/lib/libXv.so.1 /usr/X11R6/lib/libXxf86dga.so.1 /usr/X11R6/lib/libXxf86misc.so.1 /usr/X11R6/lib/libXxf86vm.so.1 /usr/X11R6/lib/libdps.so.1 /usr/X11R6/lib/libfontconfig.so.1 /usr/X11R6/lib/libfontenc.so.1 /usr/X11R6/lib/libxkbfile.so.1 /usr/X11R6/lib/libxkbui.so.1 /usr/lib/libpam.so.2 /usr/lib/libpthread.so.1 /usr/lib/libstdc++.so.4 /usr/local/lib/libexpat.so.5 /usr/local/lib/libfreetype.so.9 /usr/local/lib/libpng.so.5 However, I'm pretty sure this is the long way around in terms of considering the relative security of the two. SSH is not normally installed setuid-root, whereas the Xserver binary and often xterm or xdm normally are setuid-root. -- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: X server in a Firewall R. DuFresne (Feb 01)
- Re: X server in a Firewall Chuck Swiger (Feb 02)
- <Possible follow-ups>
- Re: X server in a Firewall R. DuFresne (Feb 01)
- RE: X server in a Firewall Cat Okita (Feb 02)
- Re: X server in a Firewall ArkanoiD (Feb 02)
- RE: X server in a Firewall Hammerle, Tye (Feb 02)