Last NSS commit is very dangerous
Jacques A. Vidrine
nectar at FreeBSD.org
Thu Apr 1 08:32:59 PST 2004
On Thu, Apr 01, 2004 at 08:04:31PM +0400, Andrey Chernov wrote:
> On Wed, Mar 31, 2004 at 12:39:21PM -0600, Jacques A. Vidrine wrote:
> > I'd really like DETAILS from anyone else encountering any difficulties
> > after yesterday's NSS commit. I have so far been unable to reproduce
> > the issue, nor has the patch submitter been able to reproduce it.
>
> I found exact reason (which also explain why nobody still not been
> hitted). Somehow while editing my /etc/nsswitch.conf access mode becomes
> 0600 while owned by root, i.e. no access from user programs. It
> immediately case bugs I describe.
Thank you very much for investigating further!
> But previous NSS variant can handle this unreadable
> /etc/nsswitch.conf nicely, probably using defaults.
I believe you are mistaken. Are you 100% certain that revision 1.10 of
nsdispatch.c falls back to defaults if /etc/nsswitch.conf exists but is
unreadable? I believe that in this case, the result has always been to
return NS_UNAVAIL for all nsdispatch() requests.
> I think new variant should be fixed to do the same.
I believe that the ``new variant'' behaves exactly as it has since
before 5.2-RELEASE in this case.
> Unreadable /etc/nsswitch.conf is not enough reason to stop working.
``unreadable /etc/nsswitch.conf'' is a different situation than ``no
/etc/nsswitch.conf''. The latter means ``gimme the defaults''. The
former means ``disable NSS''.
I'm willing to listen to arguments that these two situations should be
treated exactly the same.
Cheers,
--
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the freebsd-current
mailing list