On Wed, Jul 4, 2018 at 2:03 PM Lennart Poettering <lennart at poettering.net> wrote: > I am pretty sure it's not the best design today that nss-ldap inserts > a complex, network facing piece of code into all kinds of system > processes the way it does, even the most benign ones such as > "ls". This is security sensitive stuff after all... > There actually exist two modules both named 'libnss_ldap': the original one from PADL loads a LDAP client directly in-process, while the one from 'nslcd' (aka nss-pam-ldapd) uses a Unix socket connection to its own daemon (so it works the same way as nss-resolve). And yes, the one in nslcd should be used whenever possible. (I think glibc's nscd should also not be forgotten, since it offloads *all* modules into a single caching daemon. Would have protected against last year's glibc libnss_dns CVE, I'm sure.) -- Mantas MikulÄ?nas -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180704/a4673be7/attachment.html>
systemd-resolved and nss_ldap
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemd-resolved and nss_ldap
- From: grawity@xxxxxxxxx (Mantas Mikulėnas)
- Date: Wed, 4 Jul 2018 14:50:27 +0300
- In-reply-to: <20180704110311.GB23912@gardel-login>
- References: <eb37a175-e8fe-a3f1-dcfd-8fc63e05d963@vovan.nl> <20180704110311.GB23912@gardel-login>
- Follow-Ups:
- systemd-resolved and nss_ldap
- From: Lennart Poettering
- systemd-resolved and nss_ldap
- From: Vlad
- systemd-resolved and nss_ldap
- References:
- systemd-resolved and nss_ldap
- From: Vlad
- systemd-resolved and nss_ldap
- From: Lennart Poettering
- systemd-resolved and nss_ldap
- Prev by Date: Graphical session targets as standard
- Next by Date: systemd-resolved and nss_ldap
- Previous by thread: systemd-resolved and nss_ldap
- Next by thread: systemd-resolved and nss_ldap
- Index(es):
 |