OpenSSH Trojan

Richard Lightman richard at
Fri Aug 2 12:42:40 PDT 2002

* Dagmar d'Surreal <dagmar at> [2002-08-02 19:41]:
> On Thu, 2002-08-01 at 19:28, Dan Eriksen wrote:
> > On 01 Aug 2002 19:07:48 -0500
> > Paul Roberts <dagmar at> wrote:
> > 
> > > make DESTDIR=~/reloc install
> > 
> > 	Excellent. Something like this is so simple, why wouldn't it be mentioned in the LFS book? Even just a note. Or did I just miss it?
> > 	I should have done more searching for general-security type info like this, but I mostly found docs that talked about locking down servers and some rather difficult (massively inconvenient) practices. This should be part of the configure, make, make install routine IMHO.
> > 
> Only packages of recent/modern design respect DESTDIR (meaning _almost_
> all of Gnome 1.4.x, definitely all of Gnome 2.x, most of the newer GNU
> releases, and precious little else when you need it) which seems to
> originate from within automake... so so long as the project itself was
> built with automake involved the macro will usually be there.  
Unfortunately people have to use autoconf and automake properly for
this to work. The most common mistake is to forget to use DESTDIR
on something that is not installed in a standard directory. The
next most common is to use DESTDIR in the contents of a file.
The exact problem occures in the oaf 'where is everything installed'
script (oaf is a part of gnome).

I really have installed everything using DESTDIR. Most things
now work, but there are some packages (even some modern stuff
in gnome) that will really try your patience if you are determined
to use DESTDIR.

> Things like libtiff, jpeg-6b, etc, have what can only be referred to as
> "homebrew" build scripts, and let's not even go into XFree86, whose only
> saving grace is that we know for a fact it'll only put files into
> /usr/X11R6 and /etc/X11R6 unless it's told to do otherwise.
These are extracted from my build scripts:


#Before configuring:
echo  > 'DSO="LINUX"'
echo >> 'DSOSUF="so"'
echo >> 'DSOSUF="so.\${DIST_MAJOR}"'
echo >> "LIBCOPTS='-fPIC'"
echo >> "DSOOPTS='-shared'"
echo >> 'DIRS_LIBINC="\$DIRS_LIBINC /usr/include"'
echo >> 'DIR_JPEGLIB="/usr/lib"'
echo >> 'JPEG="yes"'
echo >> 'DIR_GZLIB="/usr/lib"'
echo >> 'ZIP="yes"'
echo >> 'HTML="yes"'
echo >> 'DIR_BIN='\''\$(prefix)/bin'\'
echo >> 'DIR_LIB='\''\$(prefix)/lib'\'
echo >> 'DIR_INC='\''\$(prefix)/include'\'
echo >> 'DIR_MAN='\''\$(prefix)/share/man'\'
echo >> 'DIR_HTML='\''\$(prefix)/share/doc/tiff'\'
echo >> 'GCOPTS="$CFLAGS"'

#configure, people using scripts might like the --noninteractive configure option
make prefix=${prefix:-usr}
mkdir -p $tmpdir/install/usr/{include,bin,share/{doc/tiff,man/man{1,3}}}
make install prefix=$tmpdir/install/${prefix:-usr}

mkdir -p ../install${prefix:-/usr}/{share/man/man1,lib,include,bin}
make install prefix=$tmpdir/install${prefix:-/usr}\


Supports DESTDIR!
If you are upset about where x installs, look at ProjectRoot,
HasVarDirectory, VarDirectory and DefaultUsrBin. I admit to thinking
nasty things about Imake, but that is mostly caused by my ignorance.

> [...] 
> All things aside, it's struck me that LFS is geared towards building
> binaries for a _particular_ machine, and packagizing is really something
> that gives more benefit to when "one particular machine" turns into "a
> whole lot of 'em"... unless you're incredibly anal about removing stale
> files, upgrading smoothly (with the exception of highly volatile
> packages like pilot-link) a minor release at a time almost never causes
> leftover files to be a problem, and in the cases that they are, the
> maintainers will say so up front (as they did with pilot-link).
I am just paramoid ;-).

Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list