[Siproxd-users] DNS resolution in chroot jail

[Michael P. <mic...@ci...>]

I'm running siproxd snapshot from 4th October, and was testing the
'multiple contact handling' in sip_rewrite_contact.  During my testing,
I found another problem, this time associated with DNS resolution.  I
think I may have updated something on my system to break it, as I don't
think you have changed it between these releases.

The problem is that once chrooted, siproxd cannot resolve DNS names.  I
can see in utils.c:secure_environment() that you perform a lookup of
'localhost' before chrooting, to fix this problem.  But for me, it
doesn't.  I added an additional line, just after the lookup of
'localhost', and before the chroot, of the form:

	get_ip_by_host("www.google.com", &dummy);

which made it work as I expect.

I think the problem is that 'localhost' can be looked up without
resorting to a remote DNS lookup, so all the relevant libraries are not
installed before the call to chroot.

I did an 'strace' of siproxd starting up, and here is an extract of the
work done between looking up 'localhost' and looking up
'www.google.com'.

time([1129723469])                      =3D 1129723469
write(2, "13:04:29 utils.c:194 ", 2113:04:29 utils.c:194 )   =3D 21
write(2, "DNS lookup - resolved: localhost"..., 45DNS lookup - resolved:
localhost -> 127.0.0.1) =3D 45
write(2, "\n", 1
)                       =3D 1
time([1129723469])                      =3D 1129723469
write(2, "13:04:29 utils.c:214 ", 2113:04:29 utils.c:214 )   =3D 21
write(2, "DNS lookup - store into cache, e"..., 39DNS lookup - store
into cache, entry 0)) =3D 39
write(2, "\n", 1
)                       =3D 1
time([1129723469])                      =3D 1129723469
time([1129723469])                      =3D 1129723469
open("/etc/hosts", O_RDONLY)            =3D 4
fcntl64(4, F_GETFD)                     =3D 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         =3D 0
fstat64(4, {st_mode=3DS_IFREG|0644, st_size=3D217, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x40017000
read(4, "127.0.0.1 localhost.localdomain "..., 4096) =3D 217
read(4, "", 4096)                       =3D 0
close(4)                                =3D 0
munmap(0x40017000, 4096)                =3D 0
open("/etc/ld.so.cache", O_RDONLY)      =3D 4
fstat64(4, {st_mode=3DS_IFREG|0644, st_size=3D57385, ...}) =3D 0
old_mmap(NULL, 57385, PROT_READ, MAP_PRIVATE, 4, 0) =3D 0x40017000
close(4)                                =3D 0
access("/etc/ld.so.nohwcap", F_OK)      =3D -1 ENOENT (No such file or
directory)
open("/lib/libnss_dns.so.2", O_RDONLY)  =3D 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\r\0"...,
512) =3D 512
fstat64(4, {st_mode=3DS_IFREG|0644, st_size=3D17840, ...}) =3D 0
old_mmap(NULL, 20616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4,
0) =3D 0x40217000
old_mmap(0x4021b000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x3000) =3D 0x4021b000
close(4)                                =3D 0
munmap(0x40017000, 57385)               =3D 0
gettimeofday({1129723469, 797825}, NULL) =3D 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) =3D 4
connect(4, {sa_family=3DAF_INET, sin_port=3Dhtons(53),
sin_addr=3Dinet_addr("10.7.1.2")}, 28) =3D 0
fcntl64(4, F_GETFL)                     =3D 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  =3D 0
gettimeofday({1129723469, 798933}, NULL) =3D 0
poll([{fd=3D4, events=3DPOLLOUT, revents=3DPOLLOUT}], 1, 0) =3D 1
send(4, "\340\333\1\0\0\1\0\0\0\0\0\0\3www\6google\3com\0\0\1\0"..., 32,
0) =3D 32
poll([{fd=3D4, events=3DPOLLIN, revents=3DPOLLIN}], 1, 5000) =3D 1
ioctl(4, FIONREAD, [100])               =3D 0
recvfrom(4, "\340\333\201\200\0\1\0\4\0\0\0\0\3www\6google\3com\0\0"...,
1024, 0, {sa_family=3DAF_INET, sin_port=3Dhtons(53),
sin_addr=3Dinet_addr("10.7.1.2")}, [16]) =3D 100
close(4)                                =3D 0
time([1129723470])                      =3D 1129723470
write(2, "13:04:30 utils.c:194 ", 2113:04:30 utils.c:194 )   =3D 21
write(2, "DNS lookup - resolved: www.googl"..., 52DNS lookup - resolved:
www.google.com -> 66.102.9.99) =3D 52
write(2, "\n", 1
)                       =3D 1
time([1129723470])                      =3D 1129723470
write(2, "13:04:30 utils.c:214 ", 2113:04:30 utils.c:214 )   =3D 21
write(2, "DNS lookup - store into cache, e"..., 39DNS lookup - store
into cache, entry 1)) =3D 39
write(2, "\n", 1
)                       =3D 1
time([1129723470])                      =3D 1129723470
time([1129723470])                      =3D 1129723470
write(2, "13:04:30 utils.c:259 ", 2113:04:30 utils.c:259 )   =3D 21
write(2, "chrooting to /var/lib/siproxd/", 30chrooting to
/var/lib/siproxd/) =3D 30


This suggests to me that an additional library is pulled in for remote
lookups, and also that hosts only listed in /etc/hosts will not be
visible after the chroot, unless you create a new /etc/hosts within the
chroot jail, or hardlink to the existing one.

I suppose you could also hardlink the libraries that it needs into the
right place within the chroot jail to get this to work too, rather than
forcing a lookup of an address that won't be resolved locally.  And this
might be the better solution - setting up the chroot jail so that all
the relevant libraries are available.

Regards,

Michael Procter