Date: Thu, 29 Dec 2011 22:36:06 +0400 From: Andrey Chernov <ache@FreeBSD.ORG> To: d@delphij.net Cc: freebsd-security@FreeBSD.ORG, Doug Barton <dougb@FreeBSD.ORG>, John Baldwin <jhb@FreeBSD.ORG> Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... Message-ID: <20111229183606.GA48785@vniz.net> In-Reply-To: <4EFCB0C9.6090608@delphij.net> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <CAGMYy3uzLXMvw40q1hM9dnHGxxh%2BeO_8Y1nbNKsPSB_Aenmm7w@mail.gmail.com> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/29/11 06:39, John Baldwin wrote: > > Can you give some more details on why ftpd is triggering a dlopen > > inside of the chroot? It would appear that that is unrelated to > > helper programs (since setting a flag in libc in ftpd can't > > possibly affect helper programs ability to use dlopen() from within > > libc). > > Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if > it notices a change. After chroot() the file is considered as > "chang"ed and thus it reloads the file as well as designated shared > libraries. Another proposal more close to @secteam version, but less ugly: to have public API rtld function (or env variable) which prevents _any_ dlopen(), not guarded currently by libc only. That way only rtld and ftpd's needs to be rebuilded, but not libc itself. -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111229183606.GA48785>