privilege separation breaks dns lookups
Kevin Steves
kevin at atomicgears.com
Sun Jun 30 05:38:35 EST 2002
On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> When the unprivileged child has chrooted it can no longer open
> /etc/resolv.conf, so if the resolver hasn't yet initialized itself then
> dns lookups will not be possible. This is unfortunately what normally
> happens, but sshd falls back gracefully.
can you try this?
Index: sshd.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.253
diff -u -r1.253 sshd.c
--- sshd.c 28 Jun 2002 23:05:06 -0000 1.253
+++ sshd.c 29 Jun 2002 19:38:40 -0000
@@ -49,6 +49,8 @@
#include <openssl/md5.h>
#include <openssl/rand.h>
+#include <resolv.h>
+
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
@@ -1363,6 +1365,15 @@
setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+ /*
+ * Initialize the resolver. This may not happen automatically
+ * before privsep chroot().
+ */
+ if ((_res.options & RES_INIT) == 0) {
+ debug("res_init()");
+ res_init();
+ }
/*
* Register our connection. This turns encryption off because we do
More information about the openssh-unix-dev
mailing list