diff options
| author | DJ Delorie <dj@redhat.com> | 2021-02-18 15:26:30 -0500 |
|---|---|---|
| committer | DJ Delorie <dj@redhat.com> | 2021-03-02 16:14:18 -0500 |
| commit | 58673149f37389495c098421085ffdb468b3f7ad (patch) | |
| tree | a21892018cfcddb2846ba17f50dada3663def1e7 /nss/nss_database.c | |
| parent | dca565886b5e8bd7966e15f0ca42ee5cff686673 (diff) | |
| download | glibc-58673149f37389495c098421085ffdb468b3f7ad.tar.gz glibc-58673149f37389495c098421085ffdb468b3f7ad.tar.xz glibc-58673149f37389495c098421085ffdb468b3f7ad.zip | |
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading, and to prevent potential security issues like CVE-2019-14271 the re-loading of nsswitch.conf and all mdoules was disabled when the root filesystem changes (see bug 27077). Unfortunately php-lpfm and openldap both require the ability to continue to load NSS modules after chroot. The packages do not exec after the chroot, and so do not cause the protections to be reset. The only solution is to re-enable only NSS module loading (not nsswitch.conf reloading) and so get back the previous glibc behaviour. In the future we may introduce a way to harden applications so they do not reload NSS modules once the root filesystem changes, or that only files/dns are available pre-loaded (or builtin). Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'nss/nss_database.c')
| -rw-r--r-- | nss/nss_database.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/nss/nss_database.c b/nss/nss_database.c index e1bef6bd75..fb72d0cc03 100644 --- a/nss/nss_database.c +++ b/nss/nss_database.c @@ -402,7 +402,6 @@ nss_database_check_reload_and_get (struct nss_database_state *local, atomic_store_release (&local->data.reload_disabled, 1); *result = local->data.services[database_index]; __libc_lock_unlock (local->lock); - __nss_module_disable_loading (); return true; } local->root_ino = str.st_ino; |