[systemd-devel] [SECURITY] systemd: nss_myhostname last in /etc/nsswitch.conf may cause, problems
Lennart Poettering
lennart at poettering.net
Mon Aug 11 03:41:28 PDT 2014
On Fri, 08.08.14 18:00, Mateusz Jończyk (mat.jonczyk at o2.pl) wrote:
> Both issues could be solved by patching nss_myhostname:
> - some configuration file which specifies which IP addresses to expose for the
> local hostname,
> - reverse resolution may also be configurable, for example we could ask DNS
> only for the reverse resolution of local IP addresses (except for 127.0.0.1).
Humm. No. The entire idea of nss-myhostname is that it resolves the
local hostnames to the local IP addresses, whatever they are, fully
dynamically. It's supposed to be configuration-free, stuff that just
works, and returns the right data without any manual intervention.
I mean, if adding a configuration file for this was desired: there's
already one /etc/hosts. Which has been used for this kind of stuff since
time began. But the idea here was to make it unnecessary to ever
configure something and just make it magically work.
> We may alternatively just give two recommendations:
> - for personal desktops and laptops, where the DNS server is on the ISP network,
> myhostname should be first.
> - for servers and boxes on corporate, trusted networks (if such exist at all),
> when the above advantages matter and are more important then security, dns
> should be first.
No. People should just not assume any trust on name resolution unless DNSSEC
or TLS or whatever else proves it.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list