SL> Date: Tue, 18 Nov 2003 17:06:06 -0700 (MST) SL> From: Scott Long SL> 3. Binary security updates: there is a lot of interest in providing a SL> binary update mechanism for doing security updates. Having a dynamic SL> root means that vulnerable libraries can be updated without having to SL> update all of the static binaries that might use them. Although this doesn't help the upgrade process, what if one symbol (such as function name + CVS tag) were exported per function? One could check for a vulnerability by strings | grep funcname | inspect CVS tag. A more elegant approach would be to store such versioning in another segment and have a tool that understands the data, a la debugger symbols. On a different note: + Some of us have had a few bad experiences with glibc (granted, it's glibc) upgrades when the shell, cp, ls, et cetera are dynamically linked. + I put the shell of choice and all of SSH's guts on the root partition... if /usr gets clobbered, I still want to be able to boot and log in remotely. If / gets clobbered, I have bigger problems. :-) Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist_at_brics.com -or- alfra_at_intc.net -or- curbjmp_at_intc.net Sending mail to spambait addresses is a great way to get blocked.Received on Wed Nov 19 2003 - 12:16:55 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:30 UTC