glibc/nss
DJ Delorie 58673149f3 nss: Re-enable NSS module loading after chroot [BZ #27389]
The glibc 2.33 release enabled /etc/nsswitch.conf reloading,
and to prevent potential security issues like CVE-2019-14271
the re-loading of nsswitch.conf and all mdoules was disabled
when the root filesystem changes (see bug 27077).

Unfortunately php-lpfm and openldap both require the ability
to continue to load NSS modules after chroot. The packages
do not exec after the chroot, and so do not cause the
protections to be reset. The only solution is to re-enable
only NSS module loading (not nsswitch.conf reloading) and so
get back the previous glibc behaviour.

In the future we may introduce a way to harden applications
so they do not reload NSS modules once the root filesystem
changes, or that only files/dns are available pre-loaded
(or builtin).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2021-03-02 16:14:18 -05:00
..
nss_compat Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_db Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_files Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-db-endgrent.root/etc nss_db: fix endent wrt NULL mappings [BZ #24695] [BZ #24696] 2019-07-10 14:51:18 -04:00
tst-nss-db-endpwent.root nss_db: fix endent wrt NULL mappings [BZ #24695] [BZ #24696] 2019-07-10 14:51:18 -04:00
tst-nss-files-hosts-long.root/etc nss: tst-nss-files-hosts-long: Add host.conf [BZ #21915] 2019-02-21 16:02:29 -05:00
tst-nss-test3.root Add test-in-container infrastructure. 2018-08-22 21:20:37 -04:00
tst-reload1.root nsswitch: user new internal API (tests) 2020-12-04 17:16:01 -05:00
tst-reload2.root nss: Re-enable NSS module loading after chroot [BZ #27389] 2021-03-02 16:14:18 -05:00
alias-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
bug17079.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
bug-erange.c
compat-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
databases.def Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
db-Makefile Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
Depend
digits_dots.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
ethers-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
function.def Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getent.c Update copyright dates not handled by scripts/update-copyrights. 2021-01-02 12:17:34 -08:00
getnssent_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getnssent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getXXbyYY_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getXXbyYY.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getXXent_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
getXXent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
grp-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
hosts-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
key-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
makedb.c Update copyright dates not handled by scripts/update-copyrights. 2021-01-02 12:17:34 -08:00
Makefile nsswitch: do not reload if "/" changes 2021-01-27 13:35:15 -05:00
netgrp-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
network-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_action_parse.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_action.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_action.h Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_database.c nss: Re-enable NSS module loading after chroot [BZ #27389] 2021-03-02 16:14:18 -05:00
nss_database.h Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_fgetent_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_files_fopen.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_hash.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_module.c nsswitch: do not reload if "/" changes 2021-01-27 13:35:15 -05:00
nss_module.h nsswitch: do not reload if "/" changes 2021-01-27 13:35:15 -05:00
nss_parse_line_result.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_readline.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_test1.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_test2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_test.h Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nss_test.ver Extend NSS test suite 2017-07-17 15:52:44 -04:00
nss.h Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nsswitch.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
nsswitch.conf Remove --enable-obsolete-nsl configure flag 2020-07-08 17:25:57 +02:00
nsswitch.h Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
proto-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
pwd-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
rewrite_field.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
rpc-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
service-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
sgrp-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
spwd-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
test-digits-dots.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
test-netdb.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-cancel-getpwuid_r.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-field.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-db-endgrent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-db-endpwent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-alias-leak.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-alias-truncated.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-hosts-erange.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-hosts-getent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-hosts-long.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-files-hosts-multi.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-getpwent.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-static.c Update nss tests to new skeleton 2017-08-17 18:00:51 -04:00
tst-nss-test1.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-test2.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-test3.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-test4.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-nss-test5.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-reload1.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
tst-reload2.c nss: Re-enable NSS module loading after chroot [BZ #27389] 2021-03-02 16:14:18 -05:00
valid_field.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
valid_list_field.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
Versions nss: Add __nss_fgetent_r 2020-07-21 07:33:50 +02:00
XXX-lookup.c Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00