BIND8, BIND9 static compilation problems
Edvard Tuinder
listbind at lunytune.nl
Thu Oct 16 09:48:25 UTC 2003
According to Ivan Ivanovic:
> Quoting Mark.Andrews at isc.org:
>
> > The names service switch library (required for looking up the
> > password) requires routines that are part of the C library and
> > are not already linked into the executable.
>
> then, what is the point of creating static binary when it's not
> functional in production env.? No wonder BIND (ISC) software hit's
> first place at SANS "The Twenty Most Critical Internet Security
> Vulnerabilities" http://www.sans.org/top20/#u1
> when you have this aproach to security measures.
You are missing the point that Mark tried to make.
It is not bind-code that is using these dynamic libraries. These are
OS functions (or rather libc functions) which require these dynamic
libraries.
The NSS functions the named executable tries to reference probably stem
from a function call to getpwnam() or something similar. It is the libc
and/or OS choice to make this a dynamic call. If the OS does not provide
static libnss* libraries, then no program can be compiled entirely
static.
As Mark put it:
The names service switch library (required for looking up the
password) requires routines that are part of the C library and
are not already linked into the executable.
However to forfill your original requirement, to not have a libc.so.X in
your chroot environment. This is possible, as long as you provide the
NSS libraries (and probably the other files you quoted in one of your
other messages in this thread).
Alternatively fix the OS/libc on your system in such a way that the libnss
libaries are available statically, or file a bug report with your OS vendor.
If libnss is available statically, named will not need any dynamic libraries.
-Ed
More information about the bind-users
mailing list