[systemd-devel] systemd-resolved and nss_ldap
Lennart Poettering
lennart at poettering.net
Wed Jul 4 12:52:39 UTC 2018
On Mi, 04.07.18 14:50, Mantas Mikulėnas (grawity at gmail.com) wrote:
> (I think glibc's nscd should also not be forgotten, since it offloads *all*
> modules into a single caching daemon. Would have protected against last
> year's glibc libnss_dns CVE, I'm sure.)
glibc's nscd is not really useful as security mechanism. glibc's
client-side NSS code will only wait for a few 100ms for nscd before
falling back to client side NSS lookups. This means to circumvent any
sandboxing applied to nscd it's sufficient to somehow make lookups
slow...
nscd is purely and only useful for caching really, where such a
fallback makes sense and might be an effective way to automatically
recover from any potential deadlocks.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list