[systemd-devel] [systemd-commits] factory/etc

Colin Guthrie gmane at colin.guthr.ie
Mon Jul 28 08:52:29 PDT 2014 

Zbigniew Jędrzejewski-Szmek wrote on 27/07/14 18:09:
> On Sun, Jul 27, 2014 at 05:54:15AM -0700, Kay Sievers wrote:
>>  factory/etc/nsswitch.conf |    6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> New commits:
>> commit ccc6fa0d6b8e3ce5e7508ee8a141ee26f380b4a3
>> Author: Kay Sievers <kay at vrfy.org>
>> Date:   Sun Jul 27 14:53:21 2014 +0200
>>
>>     factory: nss - add generic config
>>
>> diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf
>> new file mode 100644
>> index 0000000..5f2984e
>> --- /dev/null
>> +++ b/factory/etc/nsswitch.conf
>> @@ -0,0 +1,6 @@
>> +# This file is part of systemd.
>> +
>> +passwd: files
>> +shadow: files
>> +group:  files
>> +hosts:  files mymachines resolve myhostname
> Hi Kay,
> 
> I know that traditionally myhostname is added at the end. 

Oh, crap. I just realised that all my setups have myhostname before dns.
Oops!

> But local
> configuration should be more trusted than DNS (*). It is also more
> trusted then guest machines. So imho the right order is
> 
>   files myhostname mymachines resolve

That would match my natural assumption (i.e. I saw myhostname as a
replacement for putting static, but expected, definitions in /etc/hosts)
so glad I'm not venturing too far off the reservation :p

> (*) One specific example that I've encountered is when local DNS is
> tied with DHCP server, and registers names automatically. Then a
> misconfiguration of the DNS server is likely, and it wreaks havoc.
> Common examples starting to resolve 'localhost' when a computer without
> a hostname configured (and thus using localhost.localdomain as the fqdn)
> acquired an address, or resolving the name of a computer to the address
> of previous lease.
> 
> Also, since DNS is not (usually) secure against attack over the local
> network, by giving DNS higher priority, we open up an attack vector
> where 'localhost' can be spoofed to refer to a different machine, even
> with a correctly functioning server. There's no valid reason to make
> the resolution of localhost* names configurable through DNS, so we may
> just as well do it locally for speed and robustness. The same logic
> is true for the other names returned by myhostname.

Seems sensible to me but will be interested to hear if there is a
counter argument.

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the systemd-devel mailing list