A new version of BFilter 0.10.3 is available. This version now includes the droppriv patch. However it has been changed to require the configuration directory to be within the chroot directory. This means that /var/empty can no longer be used (along with any sensible mount settings for /var such as nosuid, nodev and possibly noexec). I've changed the configuration to use /etc/bfilter by default. A diff to the existing 0.10.1 ebuild, the bfilter.conf file and an updated man page are to be attached (which will be submitted upstream).
Created attachment 81289 [details] bfilter.8 Updated man page for bfilter 0.10.3.
Created attachment 81290 [details, diff] bfilter-conf.diff Change chroot directory in bfilter.conf.
Created attachment 81291 [details, diff] bfilter-0.10.1-0.10.3-ebuild.diff Patch to the current ebuild. Drops the droppriv patch and the keepdir creation but readds man page. Note that the man page has the same name as the one already in portage for 0.9.6 so it would be replaced. However the configuration and usage is different between 0.9.6 and 0.10.3. Not sure whether you wish to drop 0.9.6 or add the new man page with a different name but wasnt sure of best option for fiddling file names prior to doman in ebuild.
Comment on attachment 81290 [details, diff] bfilter-conf.diff >--- files/bfilter.conf 2006-02-21 14:39:03.000000000 +0000 >+++ files/bfilter.conf 2005-09-19 06:35:35.000000000 +0100 >@@ -1,4 +1,4 @@ > # Config file for /etc/init.d/bfilter > > # See the bfilter(8) man page for possible options to put here. >+BFILTER_OPTS="-u bfilter -g bfilter -r /var/empty" >-BFILTER_OPTS="-u bfilter -g bfilter -r /etc/bfilter"
Created attachment 81292 [details, diff] bfilter-conf-2.diff Hrmph. Previous patch was reversed.
fixed in cvs. I've also made following changes: - init script now creates /etc/bfilter/etc/resolv.conf when -r option is set - RDEPEND modifications: - dev-libs/ace replaced with >=dev-libs/ace-5.4.6 (I have compiling errors when compiled against the stable version). Even with this version I have a bunch of redefinition warnings, but it isn't bfilter's fault (I don't understand why dev-libs/ace developers choosed to publish PACKAGE_* definitions in /usr/include). - =dev-cpp/gtkmm-2.4* replaced with >=dev-cpp/gtkmm-2.4 (at least it works with gtkmm-2.8.1) thanks again for your contribution! you should send the man page to upstream for inclusion in future versions.
Just reopening as it isn't neccessary for resolv.conf to be copied to the chroot. The gethostbyname call is still being used to read resolv.conf before chrooting and after doing so resolv.conf is never read again by the process.
Then how do you explain errors like this if /etc/bfilter/etc/resolv.conf don't exist: The following error was encountered: * Could not resolve Hostname "www.google.com" Some aspect of the requested URL is incorrect. Possible problems: * Hostname does not exist (or has expired) * Typo/syntax error in the URL * DNS Server problem (in which case you should try again later) I didn't made it just becase I like to complicate things, I did it because this package installs by default with -r /etc/bfilter, setting which don't work (at least on my computer) unless I copy the resolv.conf.
Created attachment 81405 [details, diff] bfilter-resolv.diff That's very odd. It'w working over here with any resolv.conf in the chroot after multiple restarts over two weeks of testing and I have verified it is chrooted. The author did change the gethostbyname call to "com." instead of "www.slashdot.com" for some reason. I wonder if that's causing the problem on your system. Patch attached just in case.
nope, still not working.
I don't think that missing /etc/resolv.conf will not bother libresolv.so. I don't recall me having to restart a daemon just because I changed used nameservers. However, calling gethostbyname before chrooting is good because it avoids the need of copying libresolv.so in the chrooted environment. Thoughts?
I take your silence as an approval.
