git.ipfire.org Git - thirdparty/glibc.git/commit

author	DJ Delorie <dj@redhat.com>
	Thu, 18 Feb 2021 20:26:30 +0000 (15:26 -0500)
committer	DJ Delorie <dj@redhat.com>
	Tue, 2 Mar 2021 21:14:18 +0000 (16:14 -0500)
commit	58673149f37389495c098421085ffdb468b3f7ad
tree	a21892018cfcddb2846ba17f50dada3663def1e7	tree \| snapshot
parent	dca565886b5e8bd7966e15f0ca42ee5cff686673	commit \| diff

nss: Re-enable NSS module loading after chroot [BZ #27389]

The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).

Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.

In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

nss/nss_database.c		diff \| blob \| blame \| history
nss/tst-reload2.c		diff \| blob \| blame \| history
nss/tst-reload2.root/etc/hosts	[new file with mode: 0644]	blob
nss/tst-reload2.root/etc/nsswitch.conf		diff \| blob \| blame \| history
nss/tst-reload2.root/subdir/etc/hosts	[new file with mode: 0644]	blob
nss/tst-reload2.root/subdir/etc/nsswitch.conf		diff \| blob \| blame \| history