From owner-freebsd-net@FreeBSD.ORG Tue Aug 29 19:24:16 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DB5216A4EA; Tue, 29 Aug 2006 19:24:16 +0000 (UTC) (envelope-from prvs=julian=38983aa42@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E56D43DAB; Tue, 29 Aug 2006 19:23:49 +0000 (GMT) (envelope-from prvs=julian=38983aa42@elischer.org) Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229]) by a50.ironport.com with ESMTP; 29 Aug 2006 12:23:41 -0700 Message-ID: <44F4943C.70600@elischer.org> Date: Tue, 29 Aug 2006 12:23:40 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <44EF6E18.6090905@elischer.org> <44EF74CD.6080500@elischer.org> <20060829085001.GB982@zaphod.nitro.dk> <20060829090148.GD15761@obiwan.tataz.chchile.org> In-Reply-To: <20060829090148.GD15761@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: "Simon L. Nielsen" , FreeBSD Net Subject: Re: [fbsd] Re: possible patch for implementing split DNS X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 19:24:16 -0000 Jeremie Le Hen wrote: >Hi Simon, > >On Tue, Aug 29, 2006 at 10:50:02AM +0200, Simon L. Nielsen wrote: > > >>On 2006.08.25 15:08:13 -0700, Julian Elischer wrote: >>Since a bunch of people have suggested other solutions I just wanted >>to add me 0.01$CURRENCY, FWIW. >> >>Other than missing update for some manual page (not sure where this >>should go) I don't see a problem adding this patch. "Normal" users >>should be able already get similar functionality already by simply >>preloading a custom patched libc, so I don't see a problem supporting >>this. >> >> > >I agree with this statement. If users really want to, they can >compile their own libc. However, nectar@ has added the following >comment in nsdispatch.c: > >% #if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT) >% /* NOTE WELL: THIS IS A SECURITY HOLE. This must only be built >% * for debugging purposes and MUST NEVER be used in production. >% */ >% path = getenv("NSSWITCH_CONF"); >% if (path == NULL) >% #endif >% path = _PATH_NS_CONF; > >We should remove this #if clause because of your argument. I'm not sure >it is worth documenting it however. > > > by testing for SUID and a few other cases this can be made safe.. notice that my patch would not do anything on suid programs (which you an not use LD hacks with for the same reason) >Regards, > >