Date: Wed, 24 Jul 2002 20:32:19 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: Peter Pentchev <roam@ringlet.net> Cc: Tony Finch <dot@dotat.at>, des@freebsd.org, dinoex@freebsd.org, freebsd-security@freebsd.org Subject: Re: sshd privsep dns lookup bug Message-ID: <20020724183219.GA2395@starjuice.net> In-Reply-To: <20020724181801.GB31448@straylight.oblivion.bg> References: <20020724163447.B8886@chiark.greenend.org.uk> <20020724181801.GB31448@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On (2002/07/24 21:18), Peter Pentchev wrote:
> I believe this has been pointed out several times, including on this list,
> and there is nothing stopping you from installing the system's resolv.conf
> into the /var/empty/etc/ directory, right? :)
>
> Okay, so maybe it should be documented somewhere..
We set the system immutable flag on /var/empty because it's supposed to
be empty, as documented in sshd(8):
/var/empty
chroot(2) directory used by sshd during privilege separation in
the pre-authentication phase. The directory should not contain
any files and must be owned by root and not group or world-
writable.
Ciao,
Sheldon.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724183219.GA2395>