From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 7503339960DE; Thu,  4 Mar 2021 11:46:50 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7503339960DE
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/27389] NSS chroot hardening causes regressions in
 chroot deployments
Date: Thu, 04 Mar 2021 11:46:50 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: network
X-Bugzilla-Version: 2.33
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: 2.34
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_status target_milestone resolution
Message-ID: <bug-27389-131-dPolrLkoB8@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-27389-131@http.sourceware.org/bugzilla/>
References: <bug-27389-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 11:46:50 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D27389

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
   Target Milestone|---                         |2.34
         Resolution|---                         |FIXED

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for 2.34.  Also backported to 2.33.

commit 58673149f37389495c098421085ffdb468b3f7ad
Author: DJ Delorie <dj@redhat.com>
Date:   Thu Feb 18 15:26:30 2021 -0500

    nss: Re-enable NSS module loading after chroot [BZ #27389]

    The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
    and to prevent potential security issues like CVE-2019-14271
    the re-loading of nsswitch.conf and all mdoules was disabled
    when the root filesystem changes (see bug 27077).

    Unfortunately php-lpfm and openldap both require the ability
    to continue to load NSS modules after chroot. The packages
    do not exec after the chroot, and so do not cause the
    protections to be reset. The only solution is to re-enable
    only NSS module loading (not nsswitch.conf reloading) and so
    get back the previous glibc behaviour.

    In the future we may introduce a way to harden applications
    so they do not reload NSS modules once the root filesystem
    changes, or that only files/dns are available pre-loaded
    (or builtin).

    Reviewed-by: Carlos O'Donell <carlos@redhat.com>

--=20
You are receiving this mail because:
You are on the CC list for the bug.=