svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec...

Andrey Chernov ache at FreeBSD.ORG
Thu Dec 29 18:36:16 UTC 2011

On Thu, Dec 29, 2011 at 10:26:17AM -0800, Xin Li wrote:
> Hash: SHA1
> On 12/29/11 06:39, John Baldwin wrote:
> > Can you give some more details on why ftpd is triggering a dlopen
> > inside of the chroot?  It would appear that that is unrelated to
> > helper programs (since setting a flag in libc in ftpd can't
> > possibly affect helper programs ability to use dlopen() from within
> > libc).
> Sure.  That's because nsdispatch(3) would reload /etc/nsswitch.conf if
> it notices a change.  After chroot() the file is considered as
> "chang"ed and thus it reloads the file as well as designated shared
> libraries.

Another proposal more close to @secteam version, but less ugly: to have 
public API rtld function (or env variable) which prevents _any_ dlopen(), 
not guarded currently by libc only.

That way only rtld and ftpd's needs to be rebuilded, but not libc itself.


More information about the freebsd-security mailing list