[PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[Stefan Sedich]

Currently glibc supports using the RES_OPTIONS environment variable
to customize the resolv.conf options on a per-process basis, this
adds the same support to musl
---
 src/network/resolvconf.c | 48 ++++++++++++++++++++++++++++++------------------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/src/network/resolvconf.c b/src/network/resolvconf.c
index 4c3e4c4b..c759ff61 100644
--- a/src/network/resolvconf.c
+++ b/src/network/resolvconf.c
@@ -5,6 +5,30 @@
 #include <string.h>
 #include <netinet/in.h>
 
+void __parse_resolv_opts(struct resolvconf *conf, char *opts)
+{
+	char *p, *z;
+
+	p = strstr(opts, "ndots:");
+	if (p && isdigit(p[6])) {
+		p += 6;
+		unsigned long x = strtoul(p, &z, 10);
+		if (z != p) conf->ndots = x > 15 ? 15 : x;
+	}
+	p = strstr(opts, "attempts:");
+	if (p && isdigit(p[9])) {
+		p += 9;
+		unsigned long x = strtoul(p, &z, 10);
+		if (z != p) conf->attempts = x > 10 ? 10 : x;
+	}
+	p = strstr(opts, "timeout:");
+	if (p && (isdigit(p[8]) || p[8]=='.')) {
+		p += 8;
+		unsigned long x = strtoul(p, &z, 10);
+		if (z != p) conf->timeout = x > 60 ? 60 : x;
+	}
+}
+
 int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
 {
 	char line[256];
@@ -38,24 +62,7 @@ int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
 			continue;
 		}
 		if (!strncmp(line, "options", 7) && isspace(line[7])) {
-			p = strstr(line, "ndots:");
-			if (p && isdigit(p[6])) {
-				p += 6;
-				unsigned long x = strtoul(p, &z, 10);
-				if (z != p) conf->ndots = x > 15 ? 15 : x;
-			}
-			p = strstr(line, "attempts:");
-			if (p && isdigit(p[9])) {
-				p += 9;
-				unsigned long x = strtoul(p, &z, 10);
-				if (z != p) conf->attempts = x > 10 ? 10 : x;
-			}
-			p = strstr(line, "timeout:");
-			if (p && (isdigit(p[8]) || p[8]=='.')) {
-				p += 8;
-				unsigned long x = strtoul(p, &z, 10);
-				if (z != p) conf->timeout = x > 60 ? 60 : x;
-			}
+			__parse_resolv_opts(conf, line);
 			continue;
 		}
 		if (!strncmp(line, "nameserver", 10) && isspace(line[10])) {
@@ -79,6 +86,11 @@ int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
 		memcpy(search, p, l+1);
 	}
 
+	char *res_opts_env;
+	if ((res_opts_env = getenv("RES_OPTIONS")) != NULL) {
+		__parse_resolv_opts(conf, res_opts_env);
+	}
+
 	__fclose_ca(f);
 
 no_resolv_conf:
-- 
2.11.0

Re: [PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[Rich Felker]

On Mon, Apr 24, 2017 at 07:21:22PM -0700, Stefan Sedich wrote:
> Currently glibc supports using the RES_OPTIONS environment variable
> to customize the resolv.conf options on a per-process basis, this
> adds the same support to musl
> ---
>  src/network/resolvconf.c | 48 ++++++++++++++++++++++++++++++------------------
>  1 file changed, 30 insertions(+), 18 deletions(-)
> 
> diff --git a/src/network/resolvconf.c b/src/network/resolvconf.c
> index 4c3e4c4b..c759ff61 100644
> --- a/src/network/resolvconf.c
> +++ b/src/network/resolvconf.c
> @@ -5,6 +5,30 @@
>  #include <string.h>
>  #include <netinet/in.h>
>  
> +void __parse_resolv_opts(struct resolvconf *conf, char *opts)
> +{
> +	char *p, *z;
> +
> +	p = strstr(opts, "ndots:");
> +	if (p && isdigit(p[6])) {
> +		p += 6;
> +		unsigned long x = strtoul(p, &z, 10);
> +		if (z != p) conf->ndots = x > 15 ? 15 : x;
> +	}
> +	p = strstr(opts, "attempts:");
> +	if (p && isdigit(p[9])) {
> +		p += 9;
> +		unsigned long x = strtoul(p, &z, 10);
> +		if (z != p) conf->attempts = x > 10 ? 10 : x;
> +	}
> +	p = strstr(opts, "timeout:");
> +	if (p && (isdigit(p[8]) || p[8]=='.')) {
> +		p += 8;
> +		unsigned long x = strtoul(p, &z, 10);
> +		if (z != p) conf->timeout = x > 60 ? 60 : x;
> +	}
> +}
> +
>  int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
>  {
>  	char line[256];
> @@ -38,24 +62,7 @@ int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
>  			continue;
>  		}
>  		if (!strncmp(line, "options", 7) && isspace(line[7])) {
> -			p = strstr(line, "ndots:");
> -			if (p && isdigit(p[6])) {
> -				p += 6;
> -				unsigned long x = strtoul(p, &z, 10);
> -				if (z != p) conf->ndots = x > 15 ? 15 : x;
> -			}
> -			p = strstr(line, "attempts:");
> -			if (p && isdigit(p[9])) {
> -				p += 9;
> -				unsigned long x = strtoul(p, &z, 10);
> -				if (z != p) conf->attempts = x > 10 ? 10 : x;
> -			}
> -			p = strstr(line, "timeout:");
> -			if (p && (isdigit(p[8]) || p[8]=='.')) {
> -				p += 8;
> -				unsigned long x = strtoul(p, &z, 10);
> -				if (z != p) conf->timeout = x > 60 ? 60 : x;
> -			}
> +			__parse_resolv_opts(conf, line);
>  			continue;
>  		}
>  		if (!strncmp(line, "nameserver", 10) && isspace(line[10])) {
> @@ -79,6 +86,11 @@ int __get_resolv_conf(struct resolvconf *conf, char *search, size_t search_sz)
>  		memcpy(search, p, l+1);
>  	}
>  
> +	char *res_opts_env;
> +	if ((res_opts_env = getenv("RES_OPTIONS")) != NULL) {
> +		__parse_resolv_opts(conf, res_opts_env);
> +	}
> +
>  	__fclose_ca(f);
>  
>  no_resolv_conf:
> -- 
> 2.11.0

At the very least, this needs to be suppressed for suid and suid-like
processes. But otherwise it's probably okay.

What I'd really like is a way for users to override nameserver and
search directives (so pretty much, all of resolv.conf) in a way that
doesn't need root; this would be really valuable for testing. But
sadly there's no precedent for an interface to do so. Maybe it's
something we could work on a unified solution to with other
implementations (glibc, bsds?).

Rich

Re: [PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[Kurt H Maier]

On Mon, Apr 24, 2017 at 10:39:34PM -0400, Rich Felker wrote:
>
> What I'd really like is a way for users to override nameserver and
> search directives (so pretty much, all of resolv.conf) in a way that
> doesn't need root; this would be really valuable for testing. But
> sadly there's no precedent for an interface to do so. Maybe it's
> something we could work on a unified solution to with other
> implementations (glibc, bsds?).
> 
> Rich

FreeBSD and OpenBSD both currently support RES_OPTIONS (and LOCALDOMAIN
for overriding the search directive) but I don't think they support
overriding the nameserver directive.  There's just the HOSTALIASES
variable for pointing to a file full of 'alias hostname' pairs.

khm

Re: [PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[Stefan Sedich]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

Rich,

I will make the change, but so I understand some more what would be the
implications of not ignoring it in this scenario? I understand why it is
bad in the case of the load paths for example but just want to understand
the issue in this context.



- Stefan

On Mon, Apr 24, 2017 at 7:50 PM Kurt H Maier <khm@sdf.org> wrote:

> On Mon, Apr 24, 2017 at 10:39:34PM -0400, Rich Felker wrote:
> >
> > What I'd really like is a way for users to override nameserver and
> > search directives (so pretty much, all of resolv.conf) in a way that
> > doesn't need root; this would be really valuable for testing. But
> > sadly there's no precedent for an interface to do so. Maybe it's
> > something we could work on a unified solution to with other
> > implementations (glibc, bsds?).
> >
> > Rich
>
> FreeBSD and OpenBSD both currently support RES_OPTIONS (and LOCALDOMAIN
> for overriding the search directive) but I don't think they support
> overriding the nameserver directive.  There's just the HOSTALIASES
> variable for pointing to a file full of 'alias hostname' pairs.
>
> khm
>

[-- Attachment #2: Type: text/html, Size: 1507 bytes --]

Re: [PATCH] Add RES_OPTIONS support for resolv.conf options overriding

[Rich Felker]

On Tue, Apr 25, 2017 at 04:30:58AM +0000, Stefan Sedich wrote:
> Rich,
> 
> I will make the change, but so I understand some more what would be the
> implications of not ignoring it in this scenario? I understand why it is
> bad in the case of the load paths for example but just want to understand
> the issue in this context.

Primarily it's just a general principle of safety. A few specific
attacks I can think of here, though:

1. By manipulating ndots, you could cause a privileged process to
lookup the wrong domain.

2. By controlling timeout and retries, you could widen the window for
dns spoofing attacks.

Neither of these should lead to privilege-elevation if proper
authentication is used (dns alone is not sufficient to authenticate a
server to a client without dnssec), but lots of stuff is not written
to be safe...

BTW, please reply inline/below on lists rather than top-posting.

Rich



> On Mon, Apr 24, 2017 at 7:50 PM Kurt H Maier <khm@sdf.org> wrote:
> 
> > On Mon, Apr 24, 2017 at 10:39:34PM -0400, Rich Felker wrote:
> > >
> > > What I'd really like is a way for users to override nameserver and
> > > search directives (so pretty much, all of resolv.conf) in a way that
> > > doesn't need root; this would be really valuable for testing. But
> > > sadly there's no precedent for an interface to do so. Maybe it's
> > > something we could work on a unified solution to with other
> > > implementations (glibc, bsds?).
> > >
> > > Rich
> >
> > FreeBSD and OpenBSD both currently support RES_OPTIONS (and LOCALDOMAIN
> > for overriding the search directive) but I don't think they support
> > overriding the nameserver directive.  There's just the HOSTALIASES
> > variable for pointing to a file full of 'alias hostname' pairs.
> >
> > khm
> >