[ntp:security] [Bug 2960] upgrade to 4.2.8p4 causes FAIL at name resolution; error: ntpd[9881]: giving up resolving host clock.isc.org: Servname not supported for ai_socktype (-8)

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Mar 1 18:41:42 UTC 2016


https://bugs.ntp.org/show_bug.cgi?id=2960

--- Comment #29 from Juergen Perlinger <perlinger at ntp.org> 2016-03-01 18:41:42 UTC ---
(In reply to comment #28)
> I can confirm that chroot now happens a lot earlier, but I still can't get name
> lookup to work for a chrooted ntpd (short of copying lots of additional stuff
> into the chroot dir).

That's as far as I could push it, sorry. And yes, my list of files to copy into
the root jail is not simple :(

> 
> In commend 22 you implied that ntpd can be told at compile time to outsource
> DNS lookups to a forked process, but I can't find the proper configure switches
> for that. I've tried --disable-thread-support and --without-threads
> (individually and together), but end up with ntpd running as a single process
> in all three cases rather than forking off a separate process for DNS.
> 
> So, what is needed to get ntpd to use a forking DNS worker?
> 
> BTW, what's the difference between the two thread-switches mentioned above?

That's a tricky question -- that is to say you got me definitely left-footed.
There is still quite some code for the async resolver process, but for finding
out how this is actually activated I know only one person...

... Harlan, do you have any ideas on that topic?

But even then, we have to make sure that the resolver process is forked away
*before* we enter the root jail, or we gain nothing. That makes starting up
NTPD even more interesting.

I'm slowly running out of ideas here :(

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list