public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments Date: Thu, 04 Mar 2021 11:46:50 +0000 [thread overview] Message-ID: <bug-27389-131-dPolrLkoB8@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-27389-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=27389 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Target Milestone|--- |2.34 Resolution|--- |FIXED --- Comment #5 from Florian Weimer <fweimer at redhat dot com> --- Fixed for 2.34. Also backported to 2.33. commit 58673149f37389495c098421085ffdb468b3f7ad Author: DJ Delorie <dj@redhat.com> Date: Thu Feb 18 15:26:30 2021 -0500 nss: Re-enable NSS module loading after chroot [BZ #27389] The glibc 2.33 release enabled /etc/nsswitch.conf reloading, and to prevent potential security issues like CVE-2019-14271 the re-loading of nsswitch.conf and all mdoules was disabled when the root filesystem changes (see bug 27077). Unfortunately php-lpfm and openldap both require the ability to continue to load NSS modules after chroot. The packages do not exec after the chroot, and so do not cause the protections to be reset. The only solution is to re-enable only NSS module loading (not nsswitch.conf reloading) and so get back the previous glibc behaviour. In the future we may introduce a way to harden applications so they do not reload NSS modules once the root filesystem changes, or that only files/dns are available pre-loaded (or builtin). Reviewed-by: Carlos O'Donell <carlos@redhat.com> -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2021-03-04 11:46 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-02-10 8:19 [Bug network/27389] New: getaddrinfo in chroot broken by added dlopen block sjon at hortensius dot net 2021-02-10 8:41 ` [Bug network/27389] " sjon at hortensius dot net 2021-02-16 12:45 ` fweimer at redhat dot com 2021-02-16 14:47 ` hyc at symas dot com 2021-02-16 14:50 ` fweimer at redhat dot com 2021-02-17 13:37 ` [Bug network/27389] NSS chroot hardening causes regressions in chroot deployments fweimer at redhat dot com 2021-02-17 13:37 ` fweimer at redhat dot com 2021-02-17 14:20 ` stli at linux dot ibm.com 2021-03-04 11:46 ` fweimer at redhat dot com [this message] 2021-03-11 8:13 ` crosser at average dot org 2021-09-01 9:25 ` fweimer at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-27389-131-dPolrLkoB8@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).