[2350] in bugtraq
Re: a point is being missed
daemon@ATHENA.MIT.EDU (Scott Barman)
Fri Nov 3 21:14:09 1995
Date: Fri, 3 Nov 1995 17:40:47 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Scott Barman <scott@Disclosure.COM>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199511031457.JAA13148@narq.avian.org>
On Fri, 3 Nov 1995, *Hobbit* wrote:
> Why in all this telnetd flap has nobody mentioned that /bin/login should
> be relinked STATICALLY? That at least defers the LD_* class of problem
> until after login has done the setuid and exec, but still leaves things
> like IFS passed to scripts.
>
> Still, my own rule of thumb is that any binary that talks to the net,
> handles inbound connections, handles authentication, etc ... should not be
> depending on shared libs. It's well worth the miniscule disk space hit.
> Vendors, LISSEN UP.
I agree 100%. However, have you ever tried to do that under Solaris 2.4?
I once convinced a client to build a firewall with SunOS 4.1.4 rather
than Solaris 2 because we couldn't statically link with many of the
libraries (e.g., there is no static -lresolv and in -lnsl one of the
gethost* or get-something functions is not compiled correctly in the
static version of the library). I also haven't seen a patch from Sun
that would fix this, either.
With 2.5 a few days away, and since I am not a beta tester, I was
wondering if someone knew if this was fix?
TIA
scott barman
--
scott barman DISCLAIMER: I speak to anyone who will listen,
scott@disclosure.com and I speak only for myself.
barman@ix.netcom.com
"I don't know if security explains why the Win95 support Web servers run BSDI
2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is
the ideal Web software solution. Does Redmond know something we don't know?"
-Robert X. Cringely, INFORWORLD, 9/11/95
