about summary refs log tree commit diff
path: root/resolv/ns_netint.c
diff options
context:
space:
mode:
authorDJ Delorie <dj@redhat.com>2021-02-18 15:26:30 -0500
committerDJ Delorie <dj@redhat.com>2021-03-02 16:14:18 -0500
commit58673149f37389495c098421085ffdb468b3f7ad (patch)
treea21892018cfcddb2846ba17f50dada3663def1e7 /resolv/ns_netint.c
parentdca565886b5e8bd7966e15f0ca42ee5cff686673 (diff)
downloadglibc-58673149f37389495c098421085ffdb468b3f7ad.tar.gz
glibc-58673149f37389495c098421085ffdb468b3f7ad.tar.xz
glibc-58673149f37389495c098421085ffdb468b3f7ad.zip
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).

Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.

In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'resolv/ns_netint.c')
0 files changed, 0 insertions, 0 deletions