Subject: Re: HEADS UP: migration to fully dynamic linked "base" system
To: Jason R Thorpe <thorpej@wasabisystems.com>
From: Johnny Billquist <bqt@update.uu.se>
List: current-users
Date: 08/27/2002 17:55:37
On Tue, 27 Aug 2002, Jason R Thorpe wrote:
> On Tue, Aug 27, 2002 at 05:34:14PM +0200, Johnny Billquist wrote:
>
> > While true, that goes both ways. It also becomes a potentially more
> > dangerour system. Sneak things into libc, and you have an even better
> > chance at perverting things.
>
> What a totally absurd argument. If someone puts a trojan in your libc,
> you're hosed, period. This is true whether or not /bin and /sbin
> are static.
Look, I didn't want to take the security discussion, but if you insist...
Yes, you are most likely hosed if your libc becomes compromised.
But you have to realize it as well. Without /bin and /sbin dynamically
linked, they are more protected anyhow, and can be more trusted (even
though that's no guarantee either), and you can perhaps make it back from
there. With dynamically linked stuff, you'll have to revert to
/rescue.
> If you want to prevent (or at least make extremely difficult) this, then
> set the "immutable" bit on the shlib, and run at a high kern.securelevel.
That's actually something I would think NetBSD should default to.
Heck, you're talking to someone who have a tradition of physically
write-protect drives with "interesting" binaries on public systems...
(Another reason I don't like PC hardware; where is the write protect
switch? :-)
Johnny
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt@update.uu.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol