[systemd-devel] [SECURITY] systemd: nss_myhostname last in /etc/nsswitch.conf may cause, problems
Mateusz Jończyk
mat.jonczyk at o2.pl
Fri Aug 8 09:00:04 PDT 2014
W dniu 08.08.2014 o 15:32, Zbigniew Jędrzejewski-Szmek pisze:
> On Fri, Aug 08, 2014 at 01:24:50PM +0200, Mateusz Jończyk wrote:
> We discussed this recently [1]. The idea is that the hostname is
> controlled by the dns admin. There's certain logic to this, and its
> the way that things have always worked.
>
> OTOH, maybe a documentation patch explaining the situation would not
> be bad.
>
> [1] http://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg21345.html
Hello,
Countering the Lennart's rargument:
"2) is something where DNS configuration is usually preferable to though,
since DNS generally is administrator controlled, who might have select
one specific IP address to expose, rather than just all of the local
ones, which might include local ones on internal or private
interfaces. Also, for reverse resolution it is usually preferable to get
an fqdn from DNS back instead of the exact string set with
sethostname(). nss-myhostname in this regard is just the fallback for
the cases where DNS information is incomplete or not available."
Both issues could be solved by patching nss_myhostname:
- some configuration file which specifies which IP addresses to expose for the
local hostname,
- reverse resolution may also be configurable, for example we could ask DNS
only for the reverse resolution of local IP addresses (except for 127.0.0.1).
We may alternatively just give two recommendations:
- for personal desktops and laptops, where the DNS server is on the ISP network,
myhostname should be first.
- for servers and boxes on corporate, trusted networks (if such exist at all),
when the above advantages matter and are more important then security, dns
should be first.
--
Greetings,
Mateusz Jończyk
AEI, Informatyka, Semestr 3 Magisterskich, BDiIS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 558 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140808/03970a3d/attachment.sig>
More information about the systemd-devel
mailing list