... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.os.linux.gentoo

Stupid OS you gotta compile EVERYTHING

17,684 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 15,751 of 17,684

Martin Vaeth to Arthur Hagen

Re: Gentoo now links with every lib?

17 Aug 07 14:20:56

   From: vaeth@mathematik.uni-wuerzburg.de   

   Arthur Hagen  wrote:   
   > On Thu, 2007-08-16 at 11:43 +0000, Martin Vaeth wrote:   
   >> -Wl,--relax and -Wl,-z,now.   
   >> In particlar, I recommend the latter for security reasons. (Unfortunately,   
   >> xorg itself has problems with this option).   
   >   
   > I strongly recommend *against* ever using "-Wl,-z,now", because it   
   > causes libraries that might not even be used to be loaded, increasing   
   > both startup time and memory usage.   

   Concerning memory usage, I found no dramatic difference on my system, but   
   actually startup time of large programs like kde has even slighly   
   decreased with -Wl,-z,now.   
   This might be by accident (better placement of libraries on the harddisk)   
   but perhaps the "later" resolving of symbols has some more overhead   
   (I suspect that lazy linking might even increase the runtime if a library   
   function is often called, because the linker has to check first that   
   it is there? However, I have not analyzed the code or made experiments   
   whether this is correct.)   
   Nevertheless, these are minor points IMHO.   
   I am more concerened about the security issue:   
   To be honest, I did not understand the reason precisely, but roughly,   
   I think that the problem is that the code pages are associated   
   to owners and that you might somehow be able to modify the   
   library of a lazy-linked program of a different owner.   
   Perhaps this problem happens only for SUID or GUID programs.   
   But firstly, there are a lot of such programs on a system, and   
   secondly, these programs in turn use libraries (I am not sure what   
   happens if a -Wl,-z,now linked binary uses a library which is linked   
   without this flag). So I think that with -Wl,-z,now you are usually   
   on the safer side.   

   > IMO, the better solution to avoid   
   > library impersonation is to use -rpath when linking.   

   I do not understand how this solves the above security issue.   
   Moreover, if it does, how can you be sure that all packages on your system   
   use -rpath in the correct manner? (It is practically impossible to   
   check manually all installation scripts of all installed packages).   

   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]