Date: Tue, 29 Aug 2006 12:23:40 -0700 From: Julian Elischer <julian@elischer.org> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: "Simon L. Nielsen" <simon@FreeBSD.org>, FreeBSD Net <net@FreeBSD.org> Subject: Re: [fbsd] Re: possible patch for implementing split DNS Message-ID: <44F4943C.70600@elischer.org> In-Reply-To: <20060829090148.GD15761@obiwan.tataz.chchile.org> References: <44EF6E18.6090905@elischer.org> <44EF74CD.6080500@elischer.org> <20060829085001.GB982@zaphod.nitro.dk> <20060829090148.GD15761@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremie Le Hen wrote:
>Hi Simon,
>
>On Tue, Aug 29, 2006 at 10:50:02AM +0200, Simon L. Nielsen wrote:
>
>
>>On 2006.08.25 15:08:13 -0700, Julian Elischer wrote:
>>Since a bunch of people have suggested other solutions I just wanted
>>to add me 0.01$CURRENCY, FWIW.
>>
>>Other than missing update for some manual page (not sure where this
>>should go) I don't see a problem adding this patch. "Normal" users
>>should be able already get similar functionality already by simply
>>preloading a custom patched libc, so I don't see a problem supporting
>>this.
>>
>>
>
>I agree with this statement. If users really want to, they can
>compile their own libc. However, nectar@ has added the following
>comment in nsdispatch.c:
>
>% #if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT)
>% /* NOTE WELL: THIS IS A SECURITY HOLE. This must only be built
>% * for debugging purposes and MUST NEVER be used in production.
>% */
>% path = getenv("NSSWITCH_CONF");
>% if (path == NULL)
>% #endif
>% path = _PATH_NS_CONF;
>
>We should remove this #if clause because of your argument. I'm not sure
>it is worth documenting it however.
>
>
>
by testing for SUID and a few other cases this can be made safe..
notice that my patch would not do anything on suid programs (which you
an not use LD hacks with
for the same reason)
>Regards,
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F4943C.70600>