[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: story - part 3



>>>>> "k" == kiewicz  <Arkadiusz> writes:

    k> This fix should be added everywhere where is needed (ie after
    k> bind(), listen(), fcntl() but most important is after
    k> socket()).

  That's exciting :P Okay, all done.

    k> IMHO rlinetd should ignore all files ".*~" || ".*.bak"
    k> (".*rpmnew", ".*.rpmorig", ".*.rpmsave",too - files on system
    k> where rpm packet manager is used) etc. These files are usually
    k> backups.

  New feature: 'directory "/etc/rlinetd.conf" "[^~]$";'

  ie, you supply a regexp to filter the files with. So presumably a RH 
dist would do 'directory "..." "!(rpmorig$|rpmsave$)";' or something
like that.

    k> So IMHO family ipv6; must be done in another way than only
    k> setting ai_family to AF_INET6 before getaddrinfo(). Sorry - no
    k> bonus.

  I'm actually fairly content with this - the family directive isn't
intended to restrict functionality, only to expand it. If you want to
restrict conneciton to IPv6 only, I'll have some news for you this
week.

    k> 4) Setting limits still doesn't work.  if(setrlimit(*++op,
    k> rlimittab_get(*++op))) { wrong args are passed to setrlimit()
[...]
    k> 	case OP_RLIMIT: if(setrlimit(*op, rlimittab_get(*(op+2))) < 0)
    k> { rl_fail1("setrlimit"); } op=op+2; break;

  This should not work. This should seriously not work. What compiler
are you using? I can set rlimits here 'til the cows come home, and
they all work correctly. Can you please email me an entire
configuration that doesn't set limits correctly? Maybe one of the
other directives that you have in there causes things to work
differently, which would be why I can't reproduce it... are you
running on some exotic hardware, by any chance?

    k> 5) chroot() is cool but when I run service as user "nobody":
    k> Aug 7 11:42:50 linstar rlinetd[2111]: chroot("/test"):
    k> Permission denied but service is executed and it's running in
    k> nonchroot()ed enviroment !!  IMHO it should fail (for security
    k> reason).

  Agreed, done.

    k> Another thing with chroot(). It's chroot()ing after setuid() so
    k> if I specify user "some_user_other_than_root"; chrooting always
    k> fail ;-( IMHO chroot() should be executed _before_ setuid().

  Also done.

    k> 6) on *BSD/KAME (www.kame.net) rlinetd should link with
    k> libinet6.a for getaddrinfo() and other IPv6 functions...

  Okay, configure should now be looking for getaddrinfo in libinet6,
and using it if it's there.

m.