* Re: Idea / Patch to add very simple uid filtering to resolv.conf
@ 2023-09-12 15:34 mfulz
0 siblings, 0 replies; 3+ messages in thread
From: mfulz @ 2023-09-12 15:34 UTC (permalink / raw)
To: Florian Weimer; +Cc: libc-help
[-- Attachment #1: Type: text/plain, Size: 829 bytes --]
It's complexity we'd have to maintain.
Valid point and if there is no use for anyone totally ok.
But the point for a service is that I'd basically have to keep a fork of libresolv and nss_dns up2date for this change which is much more work.
That's the reason why I was asking, perhaps some others would see some need for it.
It also breaks in case processes
switch to some other for increased isolation (perhaps with user
namespaces).
Therefore I wanted to keep the legacy behavior untouched.
If there is no need to use uid filters just dig with the used config without any changes.
I recommend the separate service module approach.
If I have to do it that way sure.
Perhaps someone can give me some hints if there is a easier way to go for it instead of cloning the whole nss_dns including libresolv?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Idea / Patch to add very simple uid filtering to resolv.conf
2023-09-12 12:25 Matthias Fulz
@ 2023-09-12 14:50 ` Florian Weimer
0 siblings, 0 replies; 3+ messages in thread
From: Florian Weimer @ 2023-09-12 14:50 UTC (permalink / raw)
To: Matthias Fulz; +Cc: libc-help
* Matthias Fulz:
> Further if the uid is not added to the line the behavior would be the
> same as it was before the patch.
> Would be nice if this could be included, or at least please explain
> why not for my understanding as I can't see any reason that would be
> against it
It's complexity we'd have to maintain. It also breaks in case processes
switch to some other for increased isolation (perhaps with user
namespaces).
I recommend the separate service module approach.
Thanks,
Florian
^ permalink raw reply [flat|nested] 3+ messages in thread
* Idea / Patch to add very simple uid filtering to resolv.conf
@ 2023-09-12 12:25 Matthias Fulz
2023-09-12 14:50 ` Florian Weimer
0 siblings, 1 reply; 3+ messages in thread
From: Matthias Fulz @ 2023-09-12 12:25 UTC (permalink / raw)
To: libc-help
[-- Attachment #1.1: Type: text/plain, Size: 1112 bytes --]
Hi Guys,
I have done some patch to be able to filter lines under /etc/resolv.conf
by specific uids. I had the need for my system, as I've some users that
are only accessing specific network devices by uid matching routing rules.
Therefore I've to select different nameservers depending on the user and
added following to resolv.conf:
uid+int any existing resolv line
ae:
uid+1000 nameserver 1.1.1.1
uid-1001 nameserver 8.8.8.8
This will be interpreted the following way:
uid+ -> that config line will only be added to resolv context if the uid
matches the one after the +
uid- -> that config line will NOT be added resolv context if the uid
matches the one after the -
Further if the uid is not added to the line the behavior would be the
same as it was before the patch.
Would be nice if this could be included, or at least please explain why
not for my understanding as I can't see any reason that would be against it
I was first thinking about doing this by implementing a nss service but
came to the conclusion, that would be overkill for that little config
extension.
--
Thanks & BR,
Matthias
[-- Attachment #2: uid_resolv.patch --]
[-- Type: text/x-patch, Size: 2828 bytes --]
diff --color -Nur glibc/resolv/res_init.c glibc_b/resolv/res_init.c
--- glibc/resolv/res_init.c 2023-09-11 23:15:02.377718008 +0200
+++ glibc_b/resolv/res_init.c 2023-09-12 14:15:53.532479227 +0200
@@ -258,6 +258,8 @@
char *cp;
size_t buffer_size = 0;
bool haveenv = false;
+ char struid[24];
+ unsigned int uid = getuid();
/* Allow user to override the local domain definition. */
if ((cp = getenv ("LOCALDOMAIN")) != NULL)
@@ -303,6 +305,11 @@
&& ((line)[sizeof (name) - 1] == ' ' \
|| (line)[sizeof (name) - 1] == '\t'))
+#define MATCH_STR(line, name) \
+ (!strncmp ((line), name, strlen (name)) \
+ && ((line)[strlen (name)] == ' ' \
+ || (line)[strlen (name)] == '\t'))
+
if (fp != NULL)
{
/* No threads use this stream. */
@@ -324,6 +331,56 @@
/* Skip comments. */
if (*parser->buffer == ';' || *parser->buffer == '#')
continue;
+ /* check for user specific config */
+ if (!strncmp(parser->buffer, "uid", sizeof("uid") - 1))
+ {
+ cp = parser->buffer + sizeof ("uid") - 1;
+ if (*cp == '+' || *cp == '-')
+ {
+ /* Get uid for comparism with user speicific configs */
+ snprintf(struid, 24, "uid%c%u", *cp, uid);
+ }
+ else
+ continue;
+
+ if (MATCH_STR (parser->buffer, struid))
+ {
+ if (*cp == '-') // Remove for user
+ continue;
+
+ cp = parser->buffer + strlen(struid);
+ while (*cp == ' ' || *cp == '\t')
+ cp++;
+ if ((*cp == '\0') || (*cp == '\n'))
+ continue;
+
+ cp = __strdup (cp);
+ if (cp == NULL)
+ return false;
+ snprintf(parser->buffer, strlen(cp), "%s", cp);
+ free(cp);
+ }
+ else
+ {
+ if (*cp == '+') // Remove for user
+ continue;
+
+ while (*cp != ' ' && *cp != '\t')
+ {
+ cp++;
+ }
+ while (*cp == ' ' || *cp == '\t')
+ cp++;
+ if (*cp == '\0' || *cp == '\n')
+ continue;
+
+ cp = __strdup (cp++);
+ if (cp == NULL)
+ return false;
+ snprintf(parser->buffer, strlen(cp), "%s", cp);
+ free(cp);
+ }
+ }
/* Read default domain name. */
if (MATCH (parser->buffer, "domain"))
{
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-12 15:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-12 15:34 Idea / Patch to add very simple uid filtering to resolv.conf mfulz
-- strict thread matches above, loose matches on Subject: below --
2023-09-12 12:25 Matthias Fulz
2023-09-12 14:50 ` Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).