[ewg] Allowing ib dignostics to be run without being logged in as root.

Doug Ledford dledford at redhat.com
Sat Jun 19 09:29:33 PDT 2010


On 05/26/2010 03:52 PM, richard at informatix-sol.com wrote:
> It's better to be statically linked.

This is not the opinion of most people I know.  It used to be the norm
back in the day, but the truth of the matter is that when it comes to
system libraries, if an attacker has managed to compromise either a
system library or the dynamic linker, then the system is already lost
and the ability to compromise your program is moot.  If, on the other
hand, you have statically linked your program and then an exploit has
been found in the library you statically linked, now your program is
vulnerable even after the system shared library has been updated.

Having said that, I've seen packages from OFED developers that tend to
do multiple of the various bad security practices.  Things like
installing libraries in places like /usr/local or even in home
directories, or using rpath in programs to allow circumvention of system
installed shared libraries.  These are things that should *never* be
done on production software or systems and should be purged from any
software prior to release.

> However all setuid programs present
> a threat. The challenge as a security administrator is to assess and
> minimize the threat. Smaller programs where you can inspect and
> understand the program are more trustable than large complex programs.

This part is very true.

-- 
Doug Ledford <dledford at redhat.com>
              GPG KeyID: CFBFF194
	      http://people.redhat.com/dledford

Infiniband specific RPMs available at
	      http://people.redhat.com/dledford/Infiniband

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openfabrics.org/pipermail/ewg/attachments/20100619/140e77e0/attachment.sig>


More information about the ewg mailing list