bind-9 and static

[Mark.Andrews at nominum.com]

> Yes, I understood that. I agree the overhead wasn't exactly a desired
> effect. I was interested in learning more about it as well as thinking
> that thinking that since it would be running as an unprivilged user the
> likelyhood of installing an suid or other potential avenue for exploit
> would be reduced. (I also understand that it would probably be just as
> easy for the cracker to bring his own libc with him...)
> 
	Never take an executable that has not been designed for suid
	operation and set the suid bit.  Static vs dynamic linking
	won't make a difference to the potential vunerabilities caused
	by doing this.

	Setting the suid bit on named is a sure way to allow your system
	compromised from a local account.

> > 	Then you don't understand why people wanted named (or more
> > 	particularly named-xfer) linked statically for chroot in the
> > 	first place.
> 
> Okay, at the risk of sounding even more naive, I understood the reason for
> that to be that since they were the two daemons that listened on network
> sockets they were susceptible to remote attacks, previously causing
> buffer overflow and a subsequent root shell.

	For named-xfer to run in the chroot jail it needs to have the
	shared libraries in the jail as well.  If you statically link
	it there are less things you have to put in the jail for it to
	work.

> 
> > 	Run the following and post the results.
> > 
> > 	script
> > 	make distclean
> > 	env CFLAGS="-O2 -static" ./configure
> 
> Okay, I used 'export CFLAGS' here. Argh.
> 
> Thanks much for your help.
> Dave
> 
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com