[2370] in bugtraq
Re: a point is being missed
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed Nov 8 03:34:51 1995
Date: Mon, 6 Nov 1995 13:12:21 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Casper Dik <casper@Holland.Sun.COM>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: Your message of "Sat, 04 Nov 1995 21:12:05 EST."
<199511050212.VAA12038@Collatz.McRCIM.McGill.EDU>
>(What's "static dynamic linking"?) Who's "we"? I notice you're
>sending from a sun.com address, so I assume "we" is Sun (er, SunSoft,
>whoever). In that case, "we can't do that" is just false. You (they)
>may not be willing to, but there is no reason why a libdl.a couldn't
>exist, with full functionality, mapping ld.so the first time it's
>needed.
Let me say first that I don't speak for SunSoft. This doesn't
change the fact that it is nearly impossible to do static linking
on Solaris 2.x. (And static dynamic linking is a slip of the keyboard).
I have not yet seen any good arguments against dynamic linking.
Environment variables and other environmentel tricks have always been
possible in Unix. The LD* variables have made the need for
environmental control much more obvious. su/login/sendmail didn't
do proper cleanup and passed almost any environment variable to
sub processes. That was not a problem introduced by dynamic linking.
It was a problem that had existed for a long time but that had gone largely
unnoticed. Even $TERM is dangerous in some circumstances.
>However, there is no reason why this has to be so. One option is to
>always create the dynamic-linker structures. Another is to create them
>in the presence of an option, which is documented as being necessary
>for libdl.a to work. Or perhaps ld could do it upon the presence of
>some indication in the files being linked, such as a reference to an
>undefined external called __ld_dynamic_stabs. Another way would be to
>teach ld to effectively do what ld.so does, so that it can take a .so
>file as a library even when doing a static link - and when it does so,
>have it create dynamic-linker structures in the resulting executable.
>(I've often wished for a tool that would take a dynamically linked
>a.out, chase down the .so files necessary, merge everything, and write
>out a new a.out that is effectively statically linked. I've even
>speculated about writing one, even though I really don't know enough
>about the dynamic linker at present.)
First of all: all authentication programs are extensible through dynamic
linking, all localized programs are extensible through dynamic linking,
etc. Dynamic linking is required.
Now what about libdl.a?
By putting libdl.a in a program you don't fix anything: you again have code
that searches LD_LIBRARY_PATH or even honors LD_PRELOAD.
What have you gained? You still are vulnerable to the same problems
and all you have done is spend countless man hours to make /usr/lib/ld.so
into a libdl.a (libdl.so isn't a library), changing ld, etc.
>I would argue, though, that an even better solution is to redesign the
>symbol-table mechanism. Just move the symbol table into the text
>segment and it's always available in any executable. Besides, doing
>that reduces the disk space wastage that arises in the current scheme
>from storing a symbol table in the usual a.out place and then storing
>another copy of the symbol table, in a different layout, as part of the
>executable's loaded segments. With a little care in the <a.out.h>
>macros like N_SYMOFF and N_STROFF, existing code should even work with
>this scheme, assuming it's well-behaved (basically, that it uses said
>macros and doesn't need to grow either segment).
This I agree with: there's no need to waste all that space.
>No, I'm sorry, Sun may be unwilling to go to the trouble to link login
>static (and indeed, they probably are - they've demonstrated an
>unwillingness to go to any sort of trouble for the sake of security
>until prodded by wide publicity of a problem). But claiming that
>they're unable to just doesn't hold up.
You're being unfair. Sun is pretty open about security. We publish
security patches for problems not widely know.
Besides, I don't share you opinion that linking login statically contributes
to the security of Solaris 2.x.
In Solaris 2.6, what would you rather have: a statically linked login or
a totally dynamically configurable login?
Casper
