privilege separation breaks dns lookups
Corinna Vinschen
vinschen at redhat.com
Sun Jun 30 23:43:07 EST 2002
On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote:
> On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> > When the unprivileged child has chrooted it can no longer open
> > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then
> > dns lookups will not be possible. This is unfortunately what normally
> > happens, but sshd falls back gracefully.
>
> can you try this?
Please don't do this w/o checking for existence of the resolver lib.
See below.
Corinna
> Index: sshd.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
> retrieving revision 1.253
> diff -u -r1.253 sshd.c
> --- sshd.c 28 Jun 2002 23:05:06 -0000 1.253
> +++ sshd.c 29 Jun 2002 19:38:40 -0000
> @@ -49,6 +49,8 @@
> #include <openssl/md5.h>
> #include <openssl/rand.h>
>
#ifdef HAVE_RESOLV_H
> +#include <resolv.h>
> +
#endif
> #include "ssh.h"
> #include "ssh1.h"
> #include "ssh2.h"
> @@ -1363,6 +1365,15 @@
> setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
> sizeof(on)) < 0)
> error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
#ifdef HAVE_RESOLV_H
> +
> + /*
> + * Initialize the resolver. This may not happen automatically
> + * before privsep chroot().
> + */
> + if ((_res.options & RES_INIT) == 0) {
> + debug("res_init()");
> + res_init();
> + }
#endif
>
> /*
> * Register our connection. This turns encryption off because we do
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com
More information about the openssh-unix-dev
mailing list