From owner-freebsd-security  Wed Jul 24 11:31:15 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BB39D37B400; Wed, 24 Jul 2002 11:31:11 -0700 (PDT)
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6E7CA43EA3; Wed, 24 Jul 2002 11:31:10 -0700 (PDT)
	(envelope-from sheldonh@starjuice.net)
Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.10)
	id 17XQvr-0000d7-00; Wed, 24 Jul 2002 20:32:19 +0200
Date: Wed, 24 Jul 2002 20:32:19 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: Peter Pentchev <roam@ringlet.net>
Cc: Tony Finch <dot@dotat.at>, des@freebsd.org, dinoex@freebsd.org,
	freebsd-security@freebsd.org
Subject: Re: sshd privsep dns lookup bug
Message-ID: <20020724183219.GA2395@starjuice.net>
Mail-Followup-To: Peter Pentchev <roam@ringlet.net>,
	Tony Finch <dot@dotat.at>, des@freebsd.org, dinoex@freebsd.org,
	freebsd-security@freebsd.org
References: <20020724163447.B8886@chiark.greenend.org.uk> <20020724181801.GB31448@straylight.oblivion.bg>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020724181801.GB31448@straylight.oblivion.bg>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On (2002/07/24 21:18), Peter Pentchev wrote:

> I believe this has been pointed out several times, including on this list,
> and there is nothing stopping you from installing the system's resolv.conf
> into the /var/empty/etc/ directory, right? :)
> 
> Okay, so maybe it should be documented somewhere..

We set the system immutable flag on /var/empty because it's supposed to
be empty, as documented in sshd(8):

     /var/empty
             chroot(2) directory used by sshd during privilege separation in
             the pre-authentication phase.  The directory should not contain
             any files and must be owned by root and not group or world-
             writable.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message