Last NSS commit is very dangerous

Jacques A. Vidrine nectar at
Thu Apr 1 08:32:59 PST 2004

On Thu, Apr 01, 2004 at 08:04:31PM +0400, Andrey Chernov wrote:
> On Wed, Mar 31, 2004 at 12:39:21PM -0600, Jacques A. Vidrine wrote:
> > I'd really like DETAILS from anyone else encountering any difficulties
> > after yesterday's NSS commit.  I have so far been unable to reproduce
> > the issue, nor has the patch submitter been able to reproduce it.
> I found exact reason (which also explain why nobody still not been
> hitted). Somehow while editing my /etc/nsswitch.conf access mode becomes
> 0600 while owned by root, i.e. no access from user programs. It
> immediately case bugs I describe. 

Thank you very much for investigating further!

> But previous NSS variant can handle this unreadable
> /etc/nsswitch.conf nicely, probably using defaults.

I believe you are mistaken.  Are you 100% certain that revision 1.10 of
nsdispatch.c falls back to defaults if /etc/nsswitch.conf exists but is
unreadable?  I believe that in this case, the result has always been to
return NS_UNAVAIL for all nsdispatch() requests.

> I think new variant should be fixed to do the same.

I believe that the ``new variant'' behaves exactly as it has since
before 5.2-RELEASE in this case.

> Unreadable /etc/nsswitch.conf is not enough reason to stop working.

``unreadable /etc/nsswitch.conf'' is a different situation than ``no
/etc/nsswitch.conf''.  The latter means ``gimme the defaults''.  The
former means ``disable NSS''.

I'm willing to listen to arguments that these two situations should be
treated exactly the same.

Jacques Vidrine / nectar at / jvidrine at / nectar at

More information about the freebsd-current mailing list