[Bug 475012] New: privoxy fails to look up hosts

https://bugzilla.novell.com/show_bug.cgi?id=475012 Summary: privoxy fails to look up hosts Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i586 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mwelinder@gmail.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121300 SUSE/3.0.5-1.1 Firefox/3.0.5 Upon reboot, privoxy fails to look up any host names and presents the corresponding error page. "/etc/init.d/privoxyd restart" fixes the issue. This did _not_ happen with the original 11.1. I think it started a few weeks ago. On the assumption that privoxy gets started too early, I added "$named" to /etc/init.d/privoxyd under "Required-Start:". That made no difference. (Should I run anything after doing that?) /etc/resolv.conf contains only "nameserver 127.0.0.1". The system runs "named". Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mwelinder@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c1 --- Comment #1 from Morten Welinder <mwelinder@gmail.com> 2009-02-13 17:05:39 MST --- And the reason is... diff -ur /var/lib/privoxy/etc//resolv.conf /etc//resolv.conf --- /var/lib/privoxy/etc//resolv.conf 2009-02-13 18:50:31.000000000 -0500 +++ /etc//resolv.conf 2009-02-13 18:51:45.000000000 -0500 @@ -17,3 +17,4 @@ # file and in case of a "netconfig update -f" call. # ### Please remove (at least) this line when you modify the file! +nameserver 127.0.0.1 In other words, privoxy is started before the network is set up right. Note: it surely misses other updates to /etc/resolv.conf as well, so this setup is fairly broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mwelinder@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c2 Morten Welinder <mwelinder@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |security_vulnerability --- Comment #2 from Morten Welinder <mwelinder@gmail.com> 2009-02-13 17:17:50 MST --- Also, this does not look quite right: # lsof -p 2987 | grep DIR privoxy 2987 privoxy cwd DIR 8,6 4096 911303 /var/lib/privoxy privoxy 2987 privoxy rtd DIR 8,6 4096 911303 /var/lib/privoxy privoxy 2987 privoxy 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d It looks like some file handle to /etc/init.d/rc5.d is inadvertently leaked from the boot system into servers. If I am not mistaken, then this -- together with the openat system call -- means that the whole chroot setup is circumvented. This probably applied to other servers too: # lsof | grep DIR | grep rc dbus-daem 2030 messagebus 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d hald 2131 haldaemon 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d console-k 2139 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d startpar 2414 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d avahi-dae 2689 avahi 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d modem-man 2886 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d wpa_suppl 2889 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d nm-system 2891 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d privoxy 2987 privoxy 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d bluetooth 4174 root 3r DIR 8,6 4096 576600 /etc/init.d/rc5.d Tentatively adding keyword "security_vulnerability" to get this sorted out. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mwelinder@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c3 --- Comment #3 from Morten Welinder <mwelinder@gmail.com> 2009-02-13 17:28:03 MST --- Adding this to /etc/init.d/privoxyd works around the problem. A bit crude, though! until grep -q '^nameserver' /etc/resolv.conf; do echo "Waiting for name server"; sleep 1; done -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |mseben@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mwelinder@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c4 --- Comment #4 from Morten Welinder <mwelinder@gmail.com> 2009-02-25 17:31:55 MST --- Chances are that the dns trouble were triggered (but not actually _caused_) by bug 473308. That still leaves... 1. Creating the chroot setup is done too early 2. Changes to the dns setup are not tracked in the chroot jail. 3. The security issues discussed in comment 2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|security_vulnerability | CC| |security-team@suse.de Summary|privoxy fails to look up |VUL-0: privoxy chroot |hosts |escape -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mseben@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c5 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |FIXED --- Comment #5 from Michal Seben <mseben@novell.com> 2009-03-12 03:26:16 MST --- ok I finally found the bug, there was a problem with /etc/NetworkManager/dispatcher.d/privoxyd script, this script is called by NetworkManger when network interface come up/down and here we check if the privoxy daemon should be running, if yes we restart it, and right here was the problem, we check "privoxy" daemon, but the right name is "privoxyd", so we didn't restart privoxy and we didn't copy resolv.conf after interface come up i push fix to factory thanks for report -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c6 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED | --- Comment #6 from Ludwig Nussel <lnussel@novell.com> 2009-03-12 03:45:03 MST --- what about the chroot issue? I suppose privoxy runs chrooted for security reasons so the ability to access files outside is a security flaw. The daemon should close all file descriptors upon start. The other daemons in the don't chroot so not much of a problem there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mseben@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c7 --- Comment #7 from Michal Seben <mseben@novell.com> 2009-03-12 09:12:13 MST --- hm, /etc/init.d/rc5.d leak is still here when system boot up without network connection (dispatcher.d/privoxyd isn't called) i will check this thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mseben@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c8 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |CLOSED Resolution| |FIXED --- Comment #8 from Michal Seben <mseben@novell.com> 2009-03-13 05:42:48 MST --- ok I found the problem of "/etc/init.d/rc5.d", the init script didn't call privoxyd through startproc if you have any comment please reopen this bug again -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c9 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED | --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2009-03-13 07:06:00 MST --- since privoxy has the chroot feature built in it should take care to close fds itself so while we can fix it with startproc (+update of starpar which leaks the fd) this should be reported and fixed upstream too. Due to potential security implications we need to fix this in all distributions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |lnussel@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c12 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|lnussel@novell.com | Resolution| |FIXED --- Comment #12 from Ludwig Nussel <lnussel@novell.com> 2009-03-26 02:25:39 MST --- we're not going to treat this as security issue. We'll fix startpar instead -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User mseben@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c13 --- Comment #13 from Michal Seben <mseben@novell.com> 2009-03-26 03:20:30 MST --- just to be sure ... should be leaked fds reported and fixed in upstream as you suggested in Comment #9 ? thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=475012 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=475012#c14 --- Comment #14 from Ludwig Nussel <lnussel@novell.com> 2009-03-26 03:24:15 MST --- There are different opinions. Some say that it is too expensive at startup and that the parent has to take care not to leak fds. So no action for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com