* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
@ 2021-01-29 17:38 ` crrodriguez at opensuse dot org
2021-01-29 19:46 ` dj at redhat dot com
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: crrodriguez at opensuse dot org @ 2021-01-29 17:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
Cristian Rodríguez <crrodriguez at opensuse dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |crrodriguez at opensuse dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
2021-01-29 17:38 ` [Bug network/27077] " crrodriguez at opensuse dot org
@ 2021-01-29 19:46 ` dj at redhat dot com
2021-02-14 15:25 ` dilyan.palauzov at aegee dot org
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dj at redhat dot com @ 2021-01-29 19:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
dj at redhat dot com <dj at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |2.33
CC| |dj at redhat dot com
Status|NEW |RESOLVED
--- Comment #1 from dj at redhat dot com <dj at redhat dot com> ---
Fixed in 429029a73ec2dba7f808f69ec8b9e3d84e13e804
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
2021-01-29 17:38 ` [Bug network/27077] " crrodriguez at opensuse dot org
2021-01-29 19:46 ` dj at redhat dot com
@ 2021-02-14 15:25 ` dilyan.palauzov at aegee dot org
2021-02-15 9:12 ` fweimer at redhat dot com
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dilyan.palauzov at aegee dot org @ 2021-02-14 15:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
dilyan.palauzov at aegee dot org <dilyan.palauzov at aegee dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dilyan.palauzov at aegee dot org
--- Comment #2 from dilyan.palauzov at aegee dot org <dilyan.palauzov at aegee dot org> ---
In glibc 2.32 I had chroot and no nscd process on the host (neither outside
chroot, nor within chroot). In glibc 2.33 somehow I am forced to have nscd and
therefore (mount -B) /var/run/nscd/socket within the chroots.
I suspect that this change effectively forces the presence of nscd for the
chrooted environments, which is a regression.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (2 preceding siblings ...)
2021-02-14 15:25 ` dilyan.palauzov at aegee dot org
@ 2021-02-15 9:12 ` fweimer at redhat dot com
2021-02-15 12:38 ` dilyan.palauzov at aegee dot org
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2021-02-15 9:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to dilyan.palauzov@aegee.org from comment #2)
> In glibc 2.32 I had chroot and no nscd process on the host (neither outside
> chroot, nor within chroot). In glibc 2.33 somehow I am forced to have nscd
> and therefore (mount -B) /var/run/nscd/socket within the chroots.
>
> I suspect that this change effectively forces the presence of nscd for the
> chrooted environments, which is a regression.
You can probably work around this issue by preloading libnss_files.so.2 and
perhaps libnss_dns.so.2, so that they get loaded immediately, outside of the
chroot.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (3 preceding siblings ...)
2021-02-15 9:12 ` fweimer at redhat dot com
@ 2021-02-15 12:38 ` dilyan.palauzov at aegee dot org
2021-02-16 3:03 ` dj at redhat dot com
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dilyan.palauzov at aegee dot org @ 2021-02-15 12:38 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #4 from dilyan.palauzov at aegee dot org <dilyan.palauzov at aegee dot org> ---
As far as I can see I had in the chrooted environment libnss_dns and
libnss_files from libc 2.23 (twenty three). I have just upgraded libc the
outside of chroot and libc in the chroot was unchanged (for very long time).
After upgrading to libc 2.33 this configuration stopped working. Eventually I
started nscd, bind-mounted var/run/nscd within the chroot and this helped.
What I am saying is that this change, or something else between 2.32 and 2.33
causes a regression: a workflow which was working with 2.32 (no nscd daemon in
chroot) is not working anymore with 2.33. As such the regression, if intended,
shall be spelled clearly.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (4 preceding siblings ...)
2021-02-15 12:38 ` dilyan.palauzov at aegee dot org
@ 2021-02-16 3:03 ` dj at redhat dot com
2021-02-16 11:54 ` dilyan.palauzov at aegee dot org
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dj at redhat dot com @ 2021-02-16 3:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #5 from dj at redhat dot com <dj at redhat dot com> ---
Mixing NSS providers between the host and guest is what we're trying to avoid,
as we consider that a security issue[*] - a container management tool, for
example, may not be able to trust the config/modules inside the container and
should continue using the hosts' modules and nsswitch.conf. Programs which
"enter" chroots/containers should exec() some in-chroot program, which would
then load that nsswitch.conf.
If you have such a management tool, you should ensure your NSS environment is
complete by calling suitable API functions (like getpwuid) to ensure each NSS
provider is loaded, before chrooting.
[*] for example, of a container had some custom nss modules defined in
nsswitch.conf, and those custom modules took advantage of the host tool's
priviledges.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (5 preceding siblings ...)
2021-02-16 3:03 ` dj at redhat dot com
@ 2021-02-16 11:54 ` dilyan.palauzov at aegee dot org
2021-02-16 12:41 ` sjon at hortensius dot net
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: dilyan.palauzov at aegee dot org @ 2021-02-16 11:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #6 from dilyan.palauzov at aegee dot org <dilyan.palauzov at aegee dot org> ---
I filled:
• https://bugs.php.net/bug.php?id=80756 for PHP, and
• https://bugs.openldap.org/show_bug.cgi?id=9466 for OpenLDAP
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (6 preceding siblings ...)
2021-02-16 11:54 ` dilyan.palauzov at aegee dot org
@ 2021-02-16 12:41 ` sjon at hortensius dot net
2021-02-17 13:37 ` fweimer at redhat dot com
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: sjon at hortensius dot net @ 2021-02-16 12:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
sjon at hortensius dot net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sjon at hortensius dot net
--- Comment #7 from sjon at hortensius dot net ---
FYI I reported https://sourceware.org/bugzilla/show_bug.cgi?id=27389 because I
considered this to be a bug.
I also think this change should be more prominent in the changelog as it breaks
things that used to work fine by considering legitimate uses as suddenly being
a security risk
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (7 preceding siblings ...)
2021-02-16 12:41 ` sjon at hortensius dot net
@ 2021-02-17 13:37 ` fweimer at redhat dot com
2021-03-02 21:24 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2021-02-17 13:37 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=27389
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (8 preceding siblings ...)
2021-02-17 13:37 ` fweimer at redhat dot com
@ 2021-03-02 21:24 ` cvs-commit at gcc dot gnu.org
2021-03-04 10:05 ` cvs-commit at gcc dot gnu.org
2021-09-01 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-02 21:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by DJ Delorie <dj@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=58673149f37389495c098421085ffdb468b3f7ad
commit 58673149f37389495c098421085ffdb468b3f7ad
Author: DJ Delorie <dj@redhat.com>
Date: Thu Feb 18 15:26:30 2021 -0500
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).
Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.
In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (9 preceding siblings ...)
2021-03-02 21:24 ` cvs-commit at gcc dot gnu.org
@ 2021-03-04 10:05 ` cvs-commit at gcc dot gnu.org
2021-09-01 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-04 10:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.33/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3e880d733753183696d1a81c34caef3a9add2b0c
commit 3e880d733753183696d1a81c34caef3a9add2b0c
Author: DJ Delorie <dj@redhat.com>
Date: Thu Feb 18 15:26:30 2021 -0500
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).
Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.
In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 58673149f37389495c098421085ffdb468b3f7ad)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
2020-12-16 7:55 [Bug network/27077] New: Do not reload /etc/nsswitch.conf from chroot fweimer at redhat dot com
` (10 preceding siblings ...)
2021-03-04 10:05 ` cvs-commit at gcc dot gnu.org
@ 2021-09-01 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2021-09-01 9:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=28297
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread