Re: svn commit: r228843 - head/contrib/telnet/libtelnet
On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/29/11 06:39, John Baldwin wrote:
> > Can you give some more details on why ftpd is triggering a dlopen
> > inside of the chroot? It would appear that that is unrelated to
> > helper programs (since setting a flag in libc in ftpd can't
> > possibly affect helper programs ability to use dlopen() from within
> > libc).
>
> Sure. That's because nsdispatch(3) would reload /etc/nsswitch.conf if
> it notices a change. After chroot() the file is considered as
> "chang"ed and thus it reloads the file as well as designated shared
> libraries.
Another proposal more close to @secteam version, but less ugly: to have
public API rtld function (or env variable) which prevents _any_ dlopen(),
not guarded currently by libc only.
That way only rtld and ftpd's needs to be rebuilded, but not libc itself.
--
http://ache.vniz.net/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 20 篇):