Re: [policyd-users] chroot breaking name lookups

Tue, 24 Jul 2007 11:19:08 -0700 

On Tue, 24 Jul 2007, Jan-Frode Myklebust wrote:

> I changed it to resolve the name once it reads it from the config file.
> Now my completely empty CHROOT=/var/empty/policyd works fine.
>
> --------------------------------------------------------------------------
> --- generic.c.original  2007-07-24 15:48:36.000000000 +0200
> +++ generic.c   2007-07-24 16:34:25.000000000 +0200
> @@ -522,6 +522,12 @@
>         logmessage("malloc(): %s\n", strerror(errno));
>         exit(-1);
>       }
> +      struct hostent *he = gethostbyname(MYSQLHOST);
> +      if (he == NULL) {
> +        logmessage("gethostbyname() for MYSQLHOST failed\n", 
> strerror(errno));
> +        exit(-1);
> +      } else
> +         MYSQLHOST = inet_ntoa( *( struct in_addr*) he->h_addr_list[0]);
>     }
>
>     /* MYSQL DATABASE */
> --------------------------------------------------------------------------

The above would add an IPv4 dependency back into the code because of 
gethostbyname(), inet_ntoa(), and struct in_addr.  At some point in the 
future your MySQL server may have an IPv6 address.

More importantly though, shouldn't this problem be resolved at the mysql 
level since mysql_real_connect() doesn't require a numeric IP address for 
the server target?  Forcing policyd to do so removes some flexibility from 
the mysql client API.  In a situation where the MySQL server is specified 
by name but has multiple IP addresses, some of which may not be reachable 
either because of routing or server access policy, you really want the 
client to try each address rather than only the first and then possibly 
give up prematurely.  But where performance is a concern, you're gonna 
code a numeric IP address anyway instead of a hostname.  And if you do 
that then you don't need to resolve before the chroot.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users

Reply via email to