privilege separation breaks dns lookups

Tony Finch dot at dotat.at
Thu Jun 27 08:26:31 EST 2002


When the unprivileged child has chrooted it can no longer open
/etc/resolv.conf, so if the resolver hasn't yet initialized itself then
dns lookups will not be possible. This is unfortunately what normally
happens, but sshd falls back gracefully.

There are a couple of wrinkles: the resolver will typically try talking
to a nameserver on the local host by default (using INADDR_ANY rather
than INADDR_LOOPBACK) so if one is running then things will still work.
However if for some reason the name server is running but has ACLs which
only permit queries on 127.0.0.1 then sshd will hang when attempting a
DNS lookup since it gets neither an ICMP port unreachable nor a response.

Tony.
-- 
f.a.n.finch <dot at dotat.at> http://dotat.at/
VIKING: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6 IN WEST LATER.
RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD.



More information about the openssh-unix-dev mailing list