On Wed, Jul 4, 2018 at 2:03 PM Lennart Poettering <[email protected]> wrote:
> I am pretty sure it's not the best design today that nss-ldap inserts > a complex, network facing piece of code into all kinds of system > processes the way it does, even the most benign ones such as > "ls". This is security sensitive stuff after all... > There actually exist two modules both named 'libnss_ldap': the original one from PADL loads a LDAP client directly in-process, while the one from 'nslcd' (aka nss-pam-ldapd) uses a Unix socket connection to its own daemon (so it works the same way as nss-resolve). And yes, the one in nslcd should be used whenever possible. (I think glibc's nscd should also not be forgotten, since it offloads *all* modules into a single caching daemon. Would have protected against last year's glibc libnss_dns CVE, I'm sure.) -- Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
