Don’t use entire /etc/nsswitch.conf file
The default nsswitch.conf(5) file in most distros can handle many different things including host name, user names, groups, etc. In Nix, we want to limit the amount of impurities that come from these things. As a result, we should only allow nss to be used for gethostbyname(3) and getservent(3). /cc @Ericson2314
This commit is contained in:
parent
324a5dc92f
commit
ec0087df0a
1 changed files with 7 additions and 1 deletions
|
@ -2728,7 +2728,13 @@ void DerivationGoal::runChild()
|
||||||
on. */
|
on. */
|
||||||
if (fixedOutput) {
|
if (fixedOutput) {
|
||||||
ss.push_back("/etc/resolv.conf");
|
ss.push_back("/etc/resolv.conf");
|
||||||
ss.push_back("/etc/nsswitch.conf");
|
|
||||||
|
// Only use nss functions to resolve hosts and
|
||||||
|
// services. Don’t use it for anything else that may
|
||||||
|
// be configured for this system. This limits the
|
||||||
|
// potential impurities introduced in fixed outputs.
|
||||||
|
writeFile(chrootRootDir + "/etc/nsswitch.conf", "hosts: files dns\nservices: files\n");
|
||||||
|
|
||||||
ss.push_back("/etc/services");
|
ss.push_back("/etc/services");
|
||||||
ss.push_back("/etc/hosts");
|
ss.push_back("/etc/hosts");
|
||||||
if (pathExists("/var/run/nscd/socket"))
|
if (pathExists("/var/run/nscd/socket"))
|
||||||
|
|
Loading…
Reference in a new issue