Subject: re: static linking for NetBSD
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: matthew green <mrg@eterna.com.au>
List: tech-security
Date: 09/16/2003 17:50:14
I'll tell you why I don't like dynamic linking, particularly for critical
system components: file and system management.
Do you know how many times I've had to rescue RedHat systems when the
(DUE TO SECURITY VULNERABILITY!) to the shared libraries left the system
in a state where the PAM (YES!) was broken and nobody could login? Or worse,
you can even type "ln" because /lib/ld-linux.so.2 is incompatible with
/lib/glibc-X.Y.Z?
Linux is rapidly approaching Windows-Style DLL bit-rot.
I find it much easier to do:
% /sbin/md5sum /sbin/login
and compare that value to a known to be good (non-trojan'ed) /sbin/login,
knowing that since it doesn't load anything, it can't be trojan'ed by libc
or ld screwing. I just find static linked binaries easier to cope with,
easier to upgrade, and easier to verify.
did you ever wonder why luke went to the trouble of creating /rescue?
netbsd systems are EASIER to recover from critical system failure now
because of /rescue than ever before, regardless of static vs. dynamic
/bin and /sbin.
netbsd != linux.
.mrg.