bind-9 and static
Dave Wreski
dave at nic.com
Thu Sep 21 01:21:19 UTC 2000
> Named is not a suid exectable, it is not designed as a suid
> executable. It is however designed to be started by root
> and optionally change to running as a different user.
Yes, I've been running it that way for quite a while.
> Linking statically actually exposes you to more risk rather
> than less as you don't pick up bug fixes to libraries as
> easily.
Yes, I understood that. I agree the overhead wasn't exactly a desired
effect. I was interested in learning more about it as well as thinking
that thinking that since it would be running as an unprivilged user the
likelyhood of installing an suid or other potential avenue for exploit
would be reduced. (I also understand that it would probably be just as
easy for the cracker to bring his own libc with him...)
> Then you don't understand why people wanted named (or more
> particularly named-xfer) linked statically for chroot in the
> first place.
Okay, at the risk of sounding even more naive, I understood the reason for
that to be that since they were the two daemons that listened on network
sockets they were susceptible to remote attacks, previously causing
buffer overflow and a subsequent root shell.
> Run the following and post the results.
>
> script
> make distclean
> env CFLAGS="-O2 -static" ./configure
Okay, I used 'export CFLAGS' here. Argh.
Thanks much for your help.
Dave
More information about the bind-users
mailing list