Bug#904285: nss-mymachines: /etc/nsswitch.conf ordering

Michael Biebl biebl at debian.org
Sun Jul 22 19:37:19 BST 2018


Hi

Am 22.07.2018 um 19:44 schrieb Christoph Anton Mitterer:
> When libnss-mymachines it automatically adds the respective
> entries to /etc/nsswitch.conf and it seems to place
> "mymachines" after "dns".
> 
> This is IMO bad (and actually even a security hole), as it would
> resolve DNS names before the mymachine names.
> 
> The security hole lies in the fact that people will easily trust
> what runs locally in a VM/container, and e.g. not check SSH keys
> when connecting to that... however, if dns is resolved first
> it could point to any machine on the net.
> 
> 
> The libnss-mymachines itself suggests:
>        It is recommended to place "mymachines" after the "files" or "compat"
>        entry of the /etc/nsswitch.conf lines to make sure that its mappings
>        are preferred over other resolvers such as DNS, but so that /etc/hosts,
>        /etc/passwd and /etc/group based mappings take precedence.
> 
> 
> 
> Could you please change that and add a NEWS.Debian entry so that
> people have the chance to catch up?

Just have a look at
- libnss-mymachines should be ordered before resolve
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851314
- libnss-mymachines: Add mymachine module to passwd and group
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825439
- libnss-mymachines: mymachines module shouldn't be inserted after
myhostname one
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825438

It's a huge mess.
It would be lovely if someone sorted this out and made sure that
nss-{resolve,mymachine,myhostname,systemd) are all inserted in the
correct order for arbitrary combinations of the packages.

A MR would be most welcome!

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180722/5f4a254c/attachment-0002.sig>


More information about the Pkg-systemd-maintainers mailing list