From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:15:45 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7E5D106564A; Thu, 29 Dec 2011 19:15:45 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id B66568FC08; Thu, 29 Dec 2011 19:15:45 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 846F617E09; Thu, 29 Dec 2011 11:15:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1325186145; bh=JYAHSVyyvhShzZIlJSztKxcMNLSDNTFWGl55daG/sFw=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=A5bdaFZR9l7aQZ/O2VBMLZv3mOgGGBaChDiMx1sV20T1DRra0K9fgaM583iFfat91 XzILOX7GqWh0TMmBIQIVoJvMJ9ArnYjGurqScZogcPu8iFIkTNWb1tOeRhkvIyixHX w1KsSChcIgK6LcZfTI9eP7XOviTT9E5MygfTERUU= Message-ID: <4EFCBC60.3080607@delphij.net> Date: Thu, 29 Dec 2011 11:15:44 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Andrey Chernov , d@delphij.net, John Baldwin , freebsd-security@FreeBSD.ORG, Doug Barton References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <4EF6444F.6090708@FreeBSD.org> <201112290939.53665.jhb@freebsd.org> <4EFCB0C9.6090608@delphij.net> <20111229183606.GA48785@vniz.net> In-Reply-To: <20111229183606.GA48785@vniz.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:15:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/11 10:36, Andrey Chernov wrote: > On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 12/29/11 06:39, John Baldwin wrote: >>> Can you give some more details on why ftpd is triggering a >>> dlopen inside of the chroot? It would appear that that is >>> unrelated to helper programs (since setting a flag in libc in >>> ftpd can't possibly affect helper programs ability to use >>> dlopen() from within libc). >> >> Sure. That's because nsdispatch(3) would reload >> /etc/nsswitch.conf if it notices a change. After chroot() the >> file is considered as "chang"ed and thus it reloads the file as >> well as designated shared libraries. > > Another proposal more close to @secteam version, but less ugly: to > have public API rtld function (or env variable) which prevents > _any_ dlopen(), not guarded currently by libc only. Would you please elaborate how this would be less ugly (e.g. with a patch)? > That way only rtld and ftpd's needs to be rebuilded, but not libc > itself. We discussed a change like this but IIRC it was rejected because the affected surface is too broad and we wanted to limit it to just the implicit dlopen()s to avoid breaking legitimate applications. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78vGAACgkQOfuToMruuMA6RwCfWP6Lqq6P4vcmL9MbsOI+uV9R wEQAnRyKe6vGvEdnuDPbBkP5kKdvLC8Q =jwOs -----END PGP SIGNATURE-----