[avahi] chroot & symlink

Philipp Kempgen philipp.kempgen at amooma.de
Sat Jan 12 07:36:51 PST 2008

Lennart Poettering wrote:
> On Fri, 11.01.08 23:43, Philipp Kempgen (philipp.kempgen at amooma.de) wrote:
>> Philipp Kempgen wrote:
>>> Avahi seems to chroot before reading /etc/avahi/services/*.service .
>>> So if one of those is a symlink to some file outside of the chroot
>>> environment Avahi can't read it.
>>> Works fine with --no-chroot or --no-drop-root .
>> OK, as I have not received any reply:
>> - Didn't I make it clear enough that the described behavior
>>   causes problems?
>> - Do you think it's not a bug? (although such a setup is
>>   possible with other daemons)
>> - As I'm using Avahi on Debian, should I have contacted the
>>   package maintainer first although I don't think the problem
>>   is specific to Debian?
>> - Is it that nobody has the time to look into it and/or
>>   fix it anyway? (which would be perfectly understandable -
>>   just tell me)
>> Just to make it clear: A "patches are welcome" type of reply
>> would be fine with me.
> Oh. I didn't get that this was intended to be a real problem report,
> sorry. 
> Yes, I wouldn't consider this a real bug. Just something people should
> be aware of. Fixing this is far from trivial and might introduce
> possible security holes (since we'd need to punch additional holes
> into the chrooting for accessing more files outside of it), and I am
> quite sure that the benefit of fixing this would not be worth it.
> I would happily merge a patch though, that would document this
> behaviour in the man pages, and possibly some additional code that
> warns the user via syslog if an absolute symlink or one that points
> outside of the chroot is found in the services dir. So: Patches are
> welcome!

OK. :-)
Thanks for sharing your opinion.

  Philipp Kempgen

More information about the avahi mailing list