privilege separation breaks dns lookups

Gert Doering gert at greenie.muc.de
Thu Jul 25 00:32:08 EST 2002


Hi,

On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote:
> On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> > When the unprivileged child has chrooted it can no longer open
> > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then
> > dns lookups will not be possible. This is unfortunately what normally
> > happens, but sshd falls back gracefully.
> 
> can you try this?
> 
> Index: sshd.c
> ===================================================================
[..]
>  		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
> +
> +	/*
> +	 * Initialize the resolver.  This may not happen automatically
> +	 * before privsep chroot().
> +	 */
> +	if ((_res.options & RES_INIT) == 0) {
> +		debug("res_init()");
> +		res_init();
> +	}

I won't claim to understand why it is necessary, but your patch fixes the
"wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE machine
with PrivSep and RhostsRSAAuthentication enabled.

Sorry for not responding more quickly - I passed this to a colleague who
just didn't do the test :-(

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de



More information about the openssh-unix-dev mailing list