[rescue] SGI fw_sshd and security

[Meelis Roos]

> They dynamically-linked a security library?

Like it or not, almost everything is dynamically linked nowadays. For
example FreeBSD recently moved to dynamically linking /bin and /sbin
(like Solaris and Linux do for a long time already). Only some emergency
binaries are static.

We had a discussion at $WORK some days ago about whether to link zlib
dynamically or statically. We decided to load it dynamically because of
_security reasons_ - when a security bug was found in zlib, it was a
pain in the ass to recompile every binary that linked zlib statically
and on some machines some binaries were probably still left vulnerable.
Upgrading dynamic zlib fixed all the dynamically linked binaries at
once.

Since libwrap is also stable and rarely changing ABI's (like zlib), I
find no problems linking it dynamically. The attackers don't have a way
to LD_PRELOAD you running sshd.

-- 
Meelis Roos (mroos at linux.ee)