Autor: Theo Schlossnagle Data: A: Exim Users Mailing List Assumpte: Re: [Exim] Exim and IBM DB2
On Friday, December 14, 2001, at 04:29 PM, Greg A. Woods wrote: > [ On Friday, December 14, 2001 at 15:13:59 (-0500), Theo Schlossnagle
> wrote: ]
>> Subject: Re: [Exim] Exim and IBM DB2
>>
>> There is a strong argument for supporting dynamically loadable modules.
>
> No, there's never ever any argument for supporting dynamically loadable
> modules in production code, especially not when the source is available,
> and NEVER when any part of the calling process might ever run as root.
That's just plain dumb. There are plenty of arguments and a vast
majority are still valid when the calling process runs as root. You
apparently just don't want to hear them.
> Dynamic loading of privileged code can never be done safely.
You clearly make some invalid assumptions in your analysis. It can be
as safe as anything else.
> Even all
> the current attempts to show how code can be signed and authenticated
It's not like you are loading them from some site somewhere. You have
the module on disk owned by root. You know its inode. Load the module
with that inode, if it has changed, Exim very well could have been
changed too. If you have byzantine code, you have a bigger problem at
this point. Signing and Authenticating is completely beside the point.
Exim isn't signed and you just arbitrarily run that...
> are missing out on some very important fundamental limitations of the
> Unix process model (and perhaps any multi-user multi-tasking system
> model!).
That is the silliest argument I have every heard. Plenty of programs
out there use dynamically loadable modules for hooking into common
execution paths. And many of those are considered safe and have no
known exploits. Using a dynamic linker is much more dangerous than
supporting dynamically loadable modules -- there have been tons of
problems with those. And exim is vulnerable to those attacks (if they
exist on your system with your linker/loader) because by default it
doesn't build itself statically.
Apache uses dynamically loadable modules and I am not familiar with any
exploitations that hinge on the fact that the modules were dynamically
loaded. PAM uses loadable modules.
If you are going to poke holes are the design of Unix (yes there are
many problems), do it on another list and stop using it. The rest of us
will remain content.
--
Theo Schlossnagle
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7