[avahi] chroot & symlink
Philipp Kempgen
philipp.kempgen at amooma.de
Sat Jan 12 07:36:51 PST 2008
Lennart Poettering wrote:
> On Fri, 11.01.08 23:43, Philipp Kempgen (philipp.kempgen at amooma.de) wrote:
>
>> Philipp Kempgen wrote:
>>
>>> Avahi seems to chroot before reading /etc/avahi/services/*.service .
>>> So if one of those is a symlink to some file outside of the chroot
>>> environment Avahi can't read it.
>>> Works fine with --no-chroot or --no-drop-root .
>> OK, as I have not received any reply:
>> - Didn't I make it clear enough that the described behavior
>> causes problems?
>> - Do you think it's not a bug? (although such a setup is
>> possible with other daemons)
>> - As I'm using Avahi on Debian, should I have contacted the
>> package maintainer first although I don't think the problem
>> is specific to Debian?
>> - Is it that nobody has the time to look into it and/or
>> fix it anyway? (which would be perfectly understandable -
>> just tell me)
>>
>> Just to make it clear: A "patches are welcome" type of reply
>> would be fine with me.
>
> Oh. I didn't get that this was intended to be a real problem report,
> sorry.
>
> Yes, I wouldn't consider this a real bug. Just something people should
> be aware of. Fixing this is far from trivial and might introduce
> possible security holes (since we'd need to punch additional holes
> into the chrooting for accessing more files outside of it), and I am
> quite sure that the benefit of fixing this would not be worth it.
>
> I would happily merge a patch though, that would document this
> behaviour in the man pages, and possibly some additional code that
> warns the user via syslog if an absolute symlink or one that points
> outside of the chroot is found in the services dir. So: Patches are
> welcome!
OK. :-)
Thanks for sharing your opinion.
Regards,
Philipp Kempgen
More information about the avahi
mailing list