[systemd-devel] [SECURITY] systemd: nss_myhostname last in /etc/nsswitch.conf may cause, problems
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Fri Aug 8 06:32:38 PDT 2014
On Fri, Aug 08, 2014 at 01:24:50PM +0200, Mateusz Jończyk wrote:
> Hello,
> The man page for nss-myhostname:
> http://www.freedesktop.org/software/systemd/man/nss-myhostname.html
> suggests that myhostname should be used as a last entry in
> /etc/nsswitch.conf:
> "It is recommended to put myhostname last in the nsswitch.conf line to
> make sure that this mapping is only used as fallback, and any DNS or
> /etc/hosts based mapping takes precedence."
>
> This may be risky because an attacker that knows the system hostname and
> can control DNS query results (by MITM attacks, i.e. after breaking into
> a home gateway) is able to redirect requests to the local host to a
> machine of his control.
>
> For example if I opened "http://mateusz-ubuntu:631" in a web browser,
> and logged in there, an attacker could gain access to my CUPS user pasword.
>
> On the other hand, an attacker that is able to listen to DNS queries can
> get knowledge of the local hostname (because it usually does not contain
> any dots) and that way identify a person behind a particular IP address
> (and/or gain some knowledge of his software / hardware - for example my
> hostname is mateusz-ubuntu).
We discussed this recently [1]. The idea is that the hostname is
controlled by the dns admin. There's certain logic to this, and its
the way that things have always worked.
OTOH, maybe a documentation patch explaining the situation would not
be bad.
[1] http://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg21345.html
Zbyszek
More information about the systemd-devel
mailing list