git.ipfire.org Git - thirdparty/glibc.git/commit

author	DJ Delorie <dj@redhat.com>
	Thu, 18 Feb 2021 20:26:30 +0000 (15:26 -0500)
committer	Florian Weimer <fweimer@redhat.com>
	Thu, 4 Mar 2021 09:51:27 +0000 (10:51 +0100)
commit	3e880d733753183696d1a81c34caef3a9add2b0c
tree	35b995e70f090d94c7c9c6caa692dd92d14adf52	tree
parent	71b2463f6178a6097532dcfe8948bffbe2376dfb	commit \| diff

nss: Re-enable NSS module loading after chroot [BZ #27389]

The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).

Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.

In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 58673149f37389495c098421085ffdb468b3f7ad)

nss/nss_database.c		diff \| blob \| blame \| history
nss/tst-reload2.c		diff \| blob \| blame \| history
nss/tst-reload2.root/etc/hosts	[new file with mode: 0644]	blob
nss/tst-reload2.root/etc/nsswitch.conf		diff \| blob \| blame \| history
nss/tst-reload2.root/subdir/etc/hosts	[new file with mode: 0644]	blob
nss/tst-reload2.root/subdir/etc/nsswitch.conf		diff \| blob \| blame \| history