httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject Re: [users@httpd] dynamic vs static module - security issues
Date Fri, 07 Mar 2003 00:02:08 GMT

As others have noted, the short answer yes, dynamic is less secure than
static modules assuming, of course, you compiled with a known secure set
of modules to start with.

Frankly though if your machine is compromised there are a lot of other
things the bad guys are going to do rather than adding a re-written apache
module. You probably want to worry more about kernel modules and root
kits. A good practice (if this type of thing concerns you and it should)
is to use something like Tripwire or Aide or even a home grown data base
of crypto graphic hashes of key files (inluding modules, kernel or apache)
and compare hashes on some regular basis.

>From a security point of view, I might be concerned about the SOURCE that
I get modules from. If you trust the distribution site you should still
use the checksum files that most sites provide. Your chances of
downloading a module that is compromised and adding it to your system is
probably more likely than the system being compromised and a module
replaced.  Consider that the Tripwire, TCP Wrappers and even monkeys.org
(DSNIFF hacking/security tool) have all be compromised and backdoors added
to the downloadable software over the years, all fixed now of course but
still... food for thought.






On Thu, 6 Mar 2003 Saqib.N.Ali@seagate.com wrote:

> Hi All,
>
> Are there any security issues/concerns with including modules statically vs
> dynamically? Are statically compiled modules more secure than dynamically
> included modules?
>
> Thanks
>
> In Peace,
> Saqib Ali
> "I fear, if I rebel against my Lord, the retribution of an Awful Day (The
> Day of Resurrection)" Al-Quran 6:15
> http://www.seagate.cc/blog/
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message