public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "sjon at hortensius dot net" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block Date: Wed, 10 Feb 2021 08:19:18 +0000 [thread overview] Message-ID: <bug-27389-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=27389 Bug ID: 27389 Summary: getaddrinfo in chroot broken by added dlopen block Product: glibc Version: 2.33 Status: UNCONFIRMED Severity: normal Priority: P2 Component: network Assignee: unassigned at sourceware dot org Reporter: sjon at hortensius dot net Target Milestone: --- I have an issue that I suspect is caused by a recent glibc change, but I haven't 100% ruled out another cause, so this report might be bogus. I use PHP-FPM [1] with chroots enabled. Since upgrading glibc, name resolving (via DNS) fails with "getaddrinfo failed: System error" in my chroot and I'm pretty sure it is caused by the recently added "Block attempts to dlopen any module we haven't already opened" [2] What seems to happen is that the PHP-FPM master process only loads libnss_files.so.2 and libnss_systemd.so.2 because it uses that to resolve the username (it matches nsswitch which contains: "passwd: files systemd") If any of the FPM workers then attempts to perform dns resolving, that fails because libnss_dns.so.2 has not been loaded yet (even though I made it available in the chroot), and due to the recent change, it won't be loaded either. I have confirmed I can "fix" it by forcing the fpm master to load the dns module by modifying nsswitch.conf outside of the chroot to contains "passwd: dns files systemd", this fixes it 1. https://www.php.net/manual/en/install.fpm.php 2. https://github.com/bminor/glibc/commit/429029a73ec2dba7f808f69ec8b9e3d84e13e804#diff-9305f1992144bc8c923a840d44827642f1c3f57e3df85a69357fff2fe7370fb8R352 -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2021-02-10 8:19 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-02-10 8:19 sjon at hortensius dot net [this message] 2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net 2021-02-16 12:45 ` fweimer at redhat dot com 2021-02-16 14:47 ` hyc at symas dot com 2021-02-16 14:50 ` fweimer at redhat dot com 2021-02-17 13:37 ` [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments fweimer at redhat dot com 2021-02-17 13:37 ` fweimer at redhat dot com 2021-02-17 14:20 ` stli at linux dot ibm.com 2021-03-04 11:46 ` fweimer at redhat dot com 2021-03-11 8:13 ` crosser at average dot org 2021-09-01 9:25 ` fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-27389-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).