On Mi, 04.07.18 14:50, Mantas MikulÄ?nas (grawity at gmail.com) wrote: > (I think glibc's nscd should also not be forgotten, since it offloads *all* > modules into a single caching daemon. Would have protected against last > year's glibc libnss_dns CVE, I'm sure.) glibc's nscd is not really useful as security mechanism. glibc's client-side NSS code will only wait for a few 100ms for nscd before falling back to client side NSS lookups. This means to circumvent any sandboxing applied to nscd it's sufficient to somehow make lookups slow... nscd is purely and only useful for caching really, where such a fallback makes sense and might be an effective way to automatically recover from any potential deadlocks. Lennart -- Lennart Poettering, Red Hat
systemd-resolved and nss_ldap
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: systemd-resolved and nss_ldap
- From: lennart@xxxxxxxxxxxxxx (Lennart Poettering)
- Date: Wed, 4 Jul 2018 14:52:39 +0200
- In-reply-to: <CAPWNY8V3+=yWkL4NDzq8dEwrnFhC7yeYM1our-WdiYUN-w5XYw@mail.gmail.com>
- References: <eb37a175-e8fe-a3f1-dcfd-8fc63e05d963@vovan.nl> <20180704110311.GB23912@gardel-login> <CAPWNY8V3+=yWkL4NDzq8dEwrnFhC7yeYM1our-WdiYUN-w5XYw@mail.gmail.com>
- References:
- systemd-resolved and nss_ldap
- From: Vlad
- systemd-resolved and nss_ldap
- From: Lennart Poettering
- systemd-resolved and nss_ldap
- From: Mantas Mikulėnas
- systemd-resolved and nss_ldap
- Prev by Date: systemd-resolved and nss_ldap
- Next by Date: systemd-resolved and nss_ldap
- Previous by thread: systemd-resolved and nss_ldap
- Next by thread: systemd-resolved and nss_ldap
- Index(es):
 |