svn commit: r228843 - head/contrib/telnet/libtelnet
head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen
head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...
Andrey Chernov
ache at FreeBSD.ORG
Thu Dec 29 18:36:16 UTC 2011
On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/29/11 06:39, John Baldwin wrote:
> > Can you give some more details on why ftpd is triggering a dlopen
> > inside of the chroot? It would appear that that is unrelated to
> > helper programs (since setting a flag in libc in ftpd can't
> > possibly affect helper programs ability to use dlopen() from within
> > libc).
>
> Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if
> it notices a change. After chroot() the file is considered as
> "chang"ed and thus it reloads the file as well as designated shared
> libraries.
Another proposal more close to @secteam version, but less ugly: to have
public API rtld function (or env variable) which prevents _any_ dlopen(),
not guarded currently by libc only.
That way only rtld and ftpd's needs to be rebuilded, but not libc itself.
--
http://ache.vniz.net/
More information about the freebsd-security
mailing list