Contributed by rueda on from the living the life dynamic dept.
In
a pair
of
commits,
Theo de Raadt (deraadt@
)
changed many daemons in /sbin
to be dynamically linked. First this, which had some of us a little mystified:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/08/29 05:51:05 Modified files: etc : rc Log message: mount /usr earlier, to satisfy dynamically-linked daemons in /sbin better (there will be more soon)
But the followup a few hours later explains some of the motivation for the move:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/08/29 11:00:30 Modified files: sbin/dhcpleased: Makefile sbin/mountd : Makefile sbin/nfsd : Makefile sbin/pflogd : Makefile sbin/resolvd : Makefile sbin/slaacd : Makefile sbin/unwind : Makefile Log message: Dynamically link these /sbin daemons: dhcpleased, mountd, nfsd, pflogd, resolvd, slaacd, unwind. The mitigation story is way better: syscalls are in a randomly located libc, and every syscall stub is randomly located inside that due to random relinking. As opposed to fixed offset inside a release binary. There is one known consequence: /usr nfs mounting must use statically configured IP addresses. ok kettenis florian, others
With this explanation in place, we look forward to discussions of the security benefits of this change.
We, for some, find this quite exciting, and we are looking forward to further changes along the same lines that my occur.
(Comments are closed)