[fbsd] Re: possible patch for implementing split DNS
Simon L. Nielsen
simon at FreeBSD.org
Tue Aug 29 09:20:11 UTC 2006
On 2006.08.29 11:01:48 +0200, Jeremie Le Hen wrote:
Hey,
> On Tue, Aug 29, 2006 at 10:50:02AM +0200, Simon L. Nielsen wrote:
> > On 2006.08.25 15:08:13 -0700, Julian Elischer wrote:
> > Since a bunch of people have suggested other solutions I just wanted
> > to add me 0.01$CURRENCY, FWIW.
> >
> > Other than missing update for some manual page (not sure where this
> > should go) I don't see a problem adding this patch. "Normal" users
> > should be able already get similar functionality already by simply
> > preloading a custom patched libc, so I don't see a problem supporting
> > this.
>
> I agree with this statement. If users really want to, they can
> compile their own libc. However, nectar@ has added the following
> comment in nsdispatch.c:
>
> % #if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT)
> % /* NOTE WELL: THIS IS A SECURITY HOLE. This must only be built
> % * for debugging purposes and MUST NEVER be used in production.
> % */
> % path = getenv("NSSWITCH_CONF");
> % if (path == NULL)
> % #endif
> % path = _PATH_NS_CONF;
>
> We should remove this #if clause because of your argument. I'm not sure
> it is worth documenting it however.
Well, nsswitch is part of the user authentication framework (I think),
so I'm not entirely sure if exactly the same argument can be used
safely. I never really had a need to look at nsswitch, so I don't
know if it's used in contexts (other than set[ug]id) where overriding
nsswitch.conf can cause problems.
At least if that #if is removed it's probably required to add a
issetugid() check.
--
Simon L. Nielsen
More information about the freebsd-net
mailing list