[Dovecot] [SOLVED] Building dovecot with SSL support on Solaris
Marcus Rueckert
rueckert at informatik.uni-rostock.de
Sun Oct 9 21:52:40 EEST 2005
On 2005-10-09 13:29:27 -0400, Gary Gendel wrote:
> The -ldl means that you wish to load the library that is used to
> dynamically load shared libraries. If you really needed to do this then
> this brings up a small issue.
>
> It is usually NOT a good idea to have openssl as a shareable library.
> This opens up a serious vulnerability. Take this scenario...
>
> A person manages to gain root privedges. He replaces the openssl
> shareable library with a hacked version (say with a backdoor). In doing
> so, he's circumvented every program that uses openssl for security and
> gained full access via lots of entry points (web services, ssh services,
> etc.).
>
> My suggestion is to build a static openssl library and then you won't
> need to add the -ldl option.
>
ok ... now lets take some stuff into account. linking statically means:
- you need to recompile dovecot if you update openssl.
- you neet to remember that.
about the bad scenario.... what pretends hacking the libc?
what the hell should we hack openssl here? we already have root.
what pretends us from hacking the dovecot binary too after we hacked the
libopenssl?
so far so long i take the ease of maintainance and link dynamically.
so long
marcus
More information about the dovecot
mailing list