public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/27077] Do not reload /etc/nsswitch.conf from chroot
Date: Tue, 02 Mar 2021 21:24:23 +0000 [thread overview]
Message-ID: <bug-27077-131-Dt7W13BgLy@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-27077-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=27077
--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by DJ Delorie <dj@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=58673149f37389495c098421085ffdb468b3f7ad
commit 58673149f37389495c098421085ffdb468b3f7ad
Author: DJ Delorie <dj@redhat.com>
Date: Thu Feb 18 15:26:30 2021 -0500
nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).
Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.
In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2021-03-02 21:24 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-16 7:55 [Bug network/27077] New: " fweimer at redhat dot com
2021-01-29 17:38 ` [Bug network/27077] " crrodriguez at opensuse dot org
2021-01-29 19:46 ` dj at redhat dot com
2021-02-14 15:25 ` dilyan.palauzov at aegee dot org
2021-02-15 9:12 ` fweimer at redhat dot com
2021-02-15 12:38 ` dilyan.palauzov at aegee dot org
2021-02-16 3:03 ` dj at redhat dot com
2021-02-16 11:54 ` dilyan.palauzov at aegee dot org
2021-02-16 12:41 ` sjon at hortensius dot net
2021-02-17 13:37 ` fweimer at redhat dot com
2021-03-02 21:24 ` cvs-commit at gcc dot gnu.org [this message]
2021-03-04 10:05 ` cvs-commit at gcc dot gnu.org
2021-09-01 9:33 ` fweimer at redhat dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-27077-131-Dt7W13BgLy@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).