Privoxy's support for chroot is good, but here is a
patch to
make it even easier to use.
The first time a process does host-name resolution, many
implementations of gethostbyname() read files from /etc and
load shared libraries from /lib. Since the first time
privoxy calls gethostbyname() is after the chroot(), all
these files need to be copied into the chroot tree.
However, copying these files can be avoided if we have
privoxy do one gethostbyname() before the chroot(). Then
privoxy can use the copies in the real /etc and /lib. The
following patch does this.
The patch also adds a "--chroot-hostname" command line
option to control the hostname resolved. This allows for
performance optimization; it is not necessary to use this
option to improve your chroot experience.
Having this patch may have helped the user who reported
tracker item 888377.
I note that the author of the original chroot patch wanted
to add a tzset() call before the chroot, but it never
happened. I see this need, too, and my patch also adds a
tzset call. This causes /etc/localtime to be read before
the chroot.
I have the Debian 3.0.3-4 package, and these diffs are
against that. I looked for your CVS sources but couldn't
find the branch the Debian package is based on.
< Stephen
--- privoxy-3.0.3/jcc.c 2005-08-28 21:45:03 -0700
+++ jcc.c 2005-08-29 12:28:47 -0700
@@ -1762,7 +1762,7 @@ void usage(const char *myname)
#if !defined(unix)
"Usage: %s [--help] [--version] [configfile]\n"
#else
- "Usage: %s [--help] [--version]
[--no-daemon] [--pidfile pidfile] [--user user[.group]]
[configfile]\n"
+ "Usage: %s [--help] [--version]
[--no-daemon] [--pidfile pidfile] [--chroot-hostname
hostname] [--chroot] [--user user[.group]] [configfile]\n"
#endif
"Aborting.\n", myname);
@@ -1806,6 +1806,7 @@ int main(int argc, const char
*argv[])
struct group *grp = NULL;
char *p;
int do_chroot = 0;
+ char *chroot_hostname_to_load_resolver = NULL;
#endif
Argc = argc;
@@ -1869,6 +1870,23 @@ int main(int argc, const char
*argv[])
if (p != NULL) *--p = '\0';
}
+ else if (strcmp(argv[argc_pos],
"--chroot-hostname" ) == 0)
+ {
+ /*
+ * For fastest startup speed, a good value
for the chroot
+ * hostname lookup is a host name that is not
in /etc/hosts
+ * but that your local name server (listed in
+ * /etc/resolv.conf) can resolve without
recursion (that is,
+ * without having to ask any other name servers).
+ * The hostname need not exist, but if it
doesn't, an error
+ * message (which can be ignored) will be output.
+ * If not set, a default is used. If set to
the empty string,
+ * the extra lookup is skipped.
+ */
+ if (++argc_pos == argc) usage(argv[0]);
+ chroot_hostname_to_load_resolver =
strdup(argv[argc_pos]);
+ }
+
else if (strcmp(argv[argc_pos], "--chroot" ) == 0)
{
do_chroot = 1;
@@ -2060,6 +2078,25 @@ int main(int argc, const char
*argv[])
{
log_error(LOG_LEVEL_FATAL, "Home directory
for %s undefined", pw->pw_name);
}
+ /* Read the time zone file from /etc before
doing chroot. */
+ tzset();
+ if (NULL == chroot_hostname_to_load_resolver)
+ {
+ /* default to a hostname not likely to be
in /etc/hosts */
+ chroot_hostname_to_load_resolver =
strdup(".");
+ }
+ if (NULL != chroot_hostname_to_load_resolver
+ && '\0' !=
chroot_hostname_to_load_resolver[0])
+ {
+ /*
+ * On some systems, initializing the
resolver library
+ * involves reading config files from /etc
and/or loading
+ * additional shared libraries from /lib,
so we do one
+ * hostname lookup before the chroot to
reduce the number
+ * of files that must be copied into the
chroot tree.
+ */
+ (void)
resolve_hostname_to_ip(chroot_hostname_to_load_resolver);
+ }
if (chroot(pw->pw_dir) < 0)
{
log_error(LOG_LEVEL_FATAL, "Cannot chroot
to %s", pw->pw_dir);
Logged In: YES
user_id=322640
Moving.
Logged In: YES
user_id=414932
Originator: YES
Attaching a new version of the patch updated for the current CVS version (~3.0.7).
This version of the patch also makes two changes requested by Fabian:
* Change the name of the switch from --chroot-hostname to --pre-chroot-nslookup to make it clearer that this switch doesn't affect Privoxy's own hostname.
* Make the extra lookup default to off.
File Added: privoxy-3.0.7cvs-pre-chroot-nslookup.diff
Logged In: YES
user_id=875547
Originator: NO
Thanks for the patch and thanks for not giving up on us.
It's in CVS now.
Logged In: YES
user_id=414932
Originator: YES
You're welcome, glad to help.
Thank you for moving my comments into the proper documentation.
It looks like a typo crept into user-manual.sgml:
"The hostname doesn't need not exist" should be
"The hostname need not exist" or maybe
"The hostname doesn't need to exist".
Logged In: YES
user_id=875547
Originator: NO
Fixed, thanks again.
I had reworded it to "doesn't need to exist",
noticed that there were now to "doesn't"s in the
same sentence and failed to properly revert it
to the original.