privilege separation breaks dns lookups
Gert Doering
gert at greenie.muc.de
Thu Jul 25 00:32:08 EST 2002
Hi,
On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote:
> On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> > When the unprivileged child has chrooted it can no longer open
> > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then
> > dns lookups will not be possible. This is unfortunately what normally
> > happens, but sshd falls back gracefully.
>
> can you try this?
>
> Index: sshd.c
> ===================================================================
[..]
> error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
> +
> + /*
> + * Initialize the resolver. This may not happen automatically
> + * before privsep chroot().
> + */
> + if ((_res.options & RES_INIT) == 0) {
> + debug("res_init()");
> + res_init();
> + }
I won't claim to understand why it is necessary, but your patch fixes the
"wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE machine
with PrivSep and RhostsRSAAuthentication enabled.
Sorry for not responding more quickly - I passed this to a colleague who
just didn't do the test :-(
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list