[systemd-devel] [systemd-commits] factory/etc
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sun Jul 27 10:09:15 PDT 2014
On Sun, Jul 27, 2014 at 05:54:15AM -0700, Kay Sievers wrote:
> factory/etc/nsswitch.conf | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> New commits:
> commit ccc6fa0d6b8e3ce5e7508ee8a141ee26f380b4a3
> Author: Kay Sievers <kay at vrfy.org>
> Date: Sun Jul 27 14:53:21 2014 +0200
>
> factory: nss - add generic config
>
> diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf
> new file mode 100644
> index 0000000..5f2984e
> --- /dev/null
> +++ b/factory/etc/nsswitch.conf
> @@ -0,0 +1,6 @@
> +# This file is part of systemd.
> +
> +passwd: files
> +shadow: files
> +group: files
> +hosts: files mymachines resolve myhostname
Hi Kay,
I know that traditionally myhostname is added at the end. But local
configuration should be more trusted than DNS (*). It is also more
trusted then guest machines. So imho the right order is
files myhostname mymachines resolve
(*) One specific example that I've encountered is when local DNS is
tied with DHCP server, and registers names automatically. Then a
misconfiguration of the DNS server is likely, and it wreaks havoc.
Common examples starting to resolve 'localhost' when a computer without
a hostname configured (and thus using localhost.localdomain as the fqdn)
acquired an address, or resolving the name of a computer to the address
of previous lease.
Also, since DNS is not (usually) secure against attack over the local
network, by giving DNS higher priority, we open up an attack vector
where 'localhost' can be spoofed to refer to a different machine, even
with a correctly functioning server. There's no valid reason to make
the resolution of localhost* names configurable through DNS, so we may
just as well do it locally for speed and robustness. The same logic
is true for the other names returned by myhostname.
Zbyszek
More information about the systemd-devel
mailing list