Re: X server in a Firewall

[Chuck Swiger <chuck () codefab com>]

R. DuFresne wrote:
> On Tue, 24 Jan 2006, Chuck Swiger wrote:
[ ... ]
> > > 5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6*
> > > -rw-r--r--  1 root  wheel   893K Sep  1 02:30 openssh-4.2p1.tar.gz
> > > -rw-r--r--  1 root  wheel    31M Feb 25  2005 xorg/X11R6.8.2-src1.tar.gz
> > > -rw-r--r--  1 root  wheel   3.8M Feb 25  2005 xorg/X11R6.8.2-src2.tar.gz
> > > -rw-r--r--  1 root  wheel   9.9M Feb 25  2005 xorg/X11R6.8.2-src3.tar.gz
>
> Still missing a good chuck of ssh in there, where's the openssl tarball?

"Good chuck"? :-)

On the platform in question-- FreeBSD-- OpenSSL is part of the base system
libraries.  Zlib is optional for SSH, but would also be found from the base
system libraries.

The source to those would add about 2.5MB worth, and there's another 1.5MB for
libc itself if you want to count that, too.

> Granted not as large as the X tarballs, but, folks should never have the
> impression that ssh stands alone.  In fact there are a few more tarballs
> that should be in this mix, zlib, and likely a few crypto ones as well.
>
> While still lopsided in code weight, not as lopsided as making the erros
> that ssh is a stand alone....

Not many binaries are completely standalone nowadays, aside for the kernel,
init, and maybe /bin/sh.  Most things dynamicly load libc in particular, but we
can take a look at the details if you like.

By my count, the # of dependent shared libraries is 5 for the SSH programs, and
46 for the baseline X11 binaries, excluding something like KDE or Gnome:

% ldd -f "%p\n" /usr/bin/ssh* | sort | uniq
/lib/libc.so.5
/lib/libcrypto.so.3
/lib/libssh.so.2
/lib/libutil.so.4
/lib/libz.so.2

% ldd -f "%p\n" /usr/X11R6/bin/* | sort | uniq
/lib/libc.so.5
/lib/libcrypt.so.2
/lib/libm.so.3
/lib/libncurses.so.5
/lib/libutil.so.4
/lib/libz.so.2
/usr/X11R6/lib/libFS.so.6
/usr/X11R6/lib/libGL.so.1
/usr/X11R6/lib/libGLU.so.1
/usr/X11R6/lib/libICE.so.6
/usr/X11R6/lib/libSM.so.6
/usr/X11R6/lib/libX11.so.6
/usr/X11R6/lib/libXTrap.so.6
/usr/X11R6/lib/libXau.so.0
/usr/X11R6/lib/libXaw.so.8
/usr/X11R6/lib/libXcursor.so.1
/usr/X11R6/lib/libXdmcp.so.0
/usr/X11R6/lib/libXext.so.6
/usr/X11R6/lib/libXfont.so.1
/usr/X11R6/lib/libXft.so.2
/usr/X11R6/lib/libXi.so.6
/usr/X11R6/lib/libXinerama.so.1
/usr/X11R6/lib/libXmu.so.6
/usr/X11R6/lib/libXmuu.so.1
/usr/X11R6/lib/libXp.so.6
/usr/X11R6/lib/libXpm.so.4
/usr/X11R6/lib/libXrandr.so.2
/usr/X11R6/lib/libXrender.so.1
/usr/X11R6/lib/libXss.so.1
/usr/X11R6/lib/libXt.so.6
/usr/X11R6/lib/libXtst.so.6
/usr/X11R6/lib/libXv.so.1
/usr/X11R6/lib/libXxf86dga.so.1
/usr/X11R6/lib/libXxf86misc.so.1
/usr/X11R6/lib/libXxf86vm.so.1
/usr/X11R6/lib/libdps.so.1
/usr/X11R6/lib/libfontconfig.so.1
/usr/X11R6/lib/libfontenc.so.1
/usr/X11R6/lib/libxkbfile.so.1
/usr/X11R6/lib/libxkbui.so.1
/usr/lib/libpam.so.2
/usr/lib/libpthread.so.1
/usr/lib/libstdc++.so.4
/usr/local/lib/libexpat.so.5
/usr/local/lib/libfreetype.so.9
/usr/local/lib/libpng.so.5

However, I'm pretty sure this is the long way around in terms of considering the
relative security of the two.  SSH is not normally installed setuid-root,
whereas the Xserver binary and often xterm or xdm normally are setuid-root.

-- 
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards