Bug#904285: nss-mymachines: /etc/nsswitch.conf ordering
Christoph Anton Mitterer
calestyo at scientia.net
Sun Jul 22 18:44:48 BST 2018
Package: libnss-mymachines
Version: 239-6
Severity: important
Hi.
When libnss-mymachines it automatically adds the respective
entries to /etc/nsswitch.conf and it seems to place
"mymachines" after "dns".
This is IMO bad (and actually even a security hole), as it would
resolve DNS names before the mymachine names.
The security hole lies in the fact that people will easily trust
what runs locally in a VM/container, and e.g. not check SSH keys
when connecting to that... however, if dns is resolved first
it could point to any machine on the net.
The libnss-mymachines itself suggests:
It is recommended to place "mymachines" after the "files" or "compat"
entry of the /etc/nsswitch.conf lines to make sure that its mappings
are preferred over other resolvers such as DNS, but so that /etc/hosts,
/etc/passwd and /etc/group based mappings take precedence.
Could you please change that and add a NEWS.Debian entry so that
people have the chance to catch up?
Thanks,
Chris.
More information about the Pkg-systemd-maintainers
mailing list