Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: X server in a Firewall

Re: X server in a Firewall

From: Chuck Swiger <chuck_at_codefab.com>
Date: Fri, 27 Jan 2006 19:24:28 -0500

R. DuFresne wrote:
> On Tue, 24 Jan 2006, Chuck Swiger wrote:
[ ... ]
>>> 5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6*
>>> -rw-r--r-- 1 root wheel 893K Sep 1 02:30 openssh-4.2p1.tar.gz
>>> -rw-r--r-- 1 root wheel 31M Feb 25 2005 xorg/X11R6.8.2-src1.tar.gz
>>> -rw-r--r-- 1 root wheel 3.8M Feb 25 2005 xorg/X11R6.8.2-src2.tar.gz
>>> -rw-r--r-- 1 root wheel 9.9M Feb 25 2005 xorg/X11R6.8.2-src3.tar.gz
>
> Still missing a good chuck of ssh in there, where's the openssl tarball?

"Good chuck"? :-)

On the platform in question-- FreeBSD-- OpenSSL is part of the base system
libraries. Zlib is optional for SSH, but would also be found from the base
system libraries.

The source to those would add about 2.5MB worth, and there's another 1.5MB for
libc itself if you want to count that, too.

> Granted not as large as the X tarballs, but, folks should never have the
> impression that ssh stands alone. In fact there are a few more tarballs
> that should be in this mix, zlib, and likely a few crypto ones as well.
>
> While still lopsided in code weight, not as lopsided as making the erros
> that ssh is a stand alone....

Not many binaries are completely standalone nowadays, aside for the kernel,
init, and maybe /bin/sh. Most things dynamicly load libc in particular, but we
can take a look at the details if you like.

By my count, the # of dependent shared libraries is 5 for the SSH programs, and
46 for the baseline X11 binaries, excluding something like KDE or Gnome:

% ldd -f "%p\n" /usr/bin/ssh* | sort | uniq
/lib/libc.so.5
/lib/libcrypto.so.3
/lib/libssh.so.2
/lib/libutil.so.4
/lib/libz.so.2

% ldd -f "%p\n" /usr/X11R6/bin/* | sort | uniq
/lib/libc.so.5
/lib/libcrypt.so.2
/lib/libm.so.3
/lib/libncurses.so.5
/lib/libutil.so.4
/lib/libz.so.2
/usr/X11R6/lib/libFS.so.6
/usr/X11R6/lib/libGL.so.1
/usr/X11R6/lib/libGLU.so.1
/usr/X11R6/lib/libICE.so.6
/usr/X11R6/lib/libSM.so.6
/usr/X11R6/lib/libX11.so.6
/usr/X11R6/lib/libXTrap.so.6
/usr/X11R6/lib/libXau.so.0
/usr/X11R6/lib/libXaw.so.8
/usr/X11R6/lib/libXcursor.so.1
/usr/X11R6/lib/libXdmcp.so.0
/usr/X11R6/lib/libXext.so.6
/usr/X11R6/lib/libXfont.so.1
/usr/X11R6/lib/libXft.so.2
/usr/X11R6/lib/libXi.so.6
/usr/X11R6/lib/libXinerama.so.1
/usr/X11R6/lib/libXmu.so.6
/usr/X11R6/lib/libXmuu.so.1
/usr/X11R6/lib/libXp.so.6
/usr/X11R6/lib/libXpm.so.4
/usr/X11R6/lib/libXrandr.so.2
/usr/X11R6/lib/libXrender.so.1
/usr/X11R6/lib/libXss.so.1
/usr/X11R6/lib/libXt.so.6
/usr/X11R6/lib/libXtst.so.6
/usr/X11R6/lib/libXv.so.1
/usr/X11R6/lib/libXxf86dga.so.1
/usr/X11R6/lib/libXxf86misc.so.1
/usr/X11R6/lib/libXxf86vm.so.1
/usr/X11R6/lib/libdps.so.1
/usr/X11R6/lib/libfontconfig.so.1
/usr/X11R6/lib/libfontenc.so.1
/usr/X11R6/lib/libxkbfile.so.1
/usr/X11R6/lib/libxkbui.so.1
/usr/lib/libpam.so.2
/usr/lib/libpthread.so.1
/usr/lib/libstdc++.so.4
/usr/local/lib/libexpat.so.5
/usr/local/lib/libfreetype.so.9
/usr/local/lib/libpng.so.5

However, I'm pretty sure this is the long way around in terms of considering the
relative security of the two. SSH is not normally installed setuid-root,
whereas the Xserver binary and often xterm or xdm normally are setuid-root. 

-- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]