slide 34 resolver not chrooted
If the only nameserver entry in /etc/resolv.conf is say 127.0.0.1 or localhost such as when using unbound couldn't opensmtpds resolver read that line and chroot without issues like dhcp changes? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, Aug 07, 2014 at 11:30:02AM +0100, Kevin Chadwick wrote: If the only nameserver entry in /etc/resolv.conf is say 127.0.0.1 or localhost such as when using unbound couldn't opensmtpds resolver read that line and chroot without issues like dhcp changes? I think the problem is that you can't read the file again after being chrooted. So you won't know if it's updated. You could open(2) the file and keep the fd open after chrooting. However, if resolv.conf would be unlinked and then rewritten, those updates you wouldn't get. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
Yeah I'm not sure whether it is worth the effort but I was thinking if a user has set a localhost as the nameserver then can we be very close to certain that they are not going to change the resolv.conf? Having two DNS resolvers behave completely different because they're using different configuration data seems confusing and dangerous to me. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, 7 Aug 2014 19:39:28 +0200 Alexander Schrijver wrote: Yeah I'm not sure whether it is worth the effort but I was thinking if a user has set a localhost as the nameserver then can we be very close to certain that they are not going to change the resolv.conf? Having two DNS resolvers behave completely different because they're using different configuration data seems confusing and dangerous to me. In the localhost case? Changing your DNS randomly on a mail server seems confusing and dangerous to me. As a client well shouldn't you be using crypto/submission and not trusting DNS in any way? All I am wondering is how many use base unbound or a static setup with opensmtpd and if there should atleast be a nob to turn chroot on/off? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, Aug 07, 2014 at 07:15:32PM +0100, Kevin Chadwick wrote: On Thu, 7 Aug 2014 19:39:28 +0200 Alexander Schrijver wrote: Yeah I'm not sure whether it is worth the effort but I was thinking if a user has set a localhost as the nameserver then can we be very close to certain that they are not going to change the resolv.conf? Having two DNS resolvers behave completely different because they're using different configuration data seems confusing and dangerous to me. In the localhost case? Changing your DNS randomly on a mail server seems confusing and dangerous to me. As a client well shouldn't you be using crypto/submission and not trusting DNS in any way? All I am wondering is how many use base unbound or a static setup with opensmtpd and if there should atleast be a nob to turn chroot on/off? Nope there's currently no way to turn chrooting for the lookup process. It's not really a resolver thing, we could have the resolver code in a chroot with some refactoring, but we need a process that does not run chrooted for other lookup purposes and it's more convenient to have the resolver code handled by the process. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, 7 Aug 2014 20:41:39 +0200 Gilles Chehade wrote: Nope there's currently no way to turn chrooting for the lookup process. It's not really a resolver thing, we could have the resolver code in a chroot with some refactoring, but we need a process that does not run chrooted for other lookup purposes and it's more convenient to have the resolver code handled by the process. Fair enough and thanks for replying. I expected that there was probably more to it and it had already been considered and possibly discussed too much already. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
