Re: [RFC PATCH v4 1/2] configure: Remove --enable-obsolete-nsl

[Florian Weimer]

* Petr Vorel:

> diff --git a/NEWS b/NEWS
> index a660fc59a8..cfaf50c816 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -33,6 +33,14 @@ Major new features:
>  
>  Deprecated and removed features, and other changes affecting compatibility:
>  
> +* Remove configure option --enable-obsolete-nsl. libnsl is only built as 
> shared
> +  library for backward compatibility and the NSS modules libnss_compat,
> +  libnss_nis and libnss_nisplus are not built at all, libnsl's headers aren't
> +  installed. This compatibility is kept only for architectures and ABIs that
> +  have been added in or before version 2.28. Replacement implementations 
> based
> +  on TI-RPC, which additionally support IPv6, are available from
> +  .
> +

Please add two spaces after sentence-ending periods.  And wrap the lines
a bit earlier (column 72 or so).

> diff --git a/grp/initgroups.c b/grp/initgroups.c
> index f4c4e986e9..0c17141117 100644
> --- a/grp/initgroups.c
> +++ b/grp/initgroups.c
> @@ -31,12 +31,6 @@
>  #include "../nscd/nscd-client.h"
>  #include "../nscd/nscd_proto.h"
>  
> -#ifdef LINK_OBSOLETE_NSL
> -# define DEFAULT_CONFIG "compat [NOTFOUND=return] files"
> -#else
> -# define DEFAULT_CONFIG "files"
> -#endif
> -

That looks a bit like a pre-existing bug—we do have nss_compat even
without libnsl.  But the change itself looks okay.
 
> diff --git a/manual/nss.texi b/manual/nss.texi
> index 821469a78a..7cb307246a 100644
> --- a/manual/nss.texi
> +++ b/manual/nss.texi
> @@ -328,17 +328,11 @@ For the @code{hosts} and @code{networks} databases the 
> default value is
>  the DNS service not to be available but if it is available the answer it
>  returns is definitive.
>  
> -The @code{passwd}, @code{group}, and @code{shadow} databases are
> +The @code{passwd}, @code{group}, and @code{shadow} databases was
>  traditionally handled in a special way.  The appropriate files in the
> -@file{/etc} directory are read but if an entry with a name starting
> -with a @code{+} character is found NIS is used.  This kind of lookup
> -remains possible if @theglibc{} was configured with the
> -@code{--enable-obsolete-nsl} option and the special lookup service
> -@code{compat} is used.  If @theglibc{} was configured with the
> -@code{--enable-obsolete-nsl} option the default value for the three
> -databases above is @code{compat [NOTFOUND=return] files}.  If the
> -@code{--enable-obsolete-nsl} option was not used the default value
> -for the services is @code{files}.
> +@file{/etc} directory were read but if an entry with a name starting
> +with a @code{+} character was found NIS was used.  This kind of lookup
> +was removed and now the default value for the services is @code{files}.

I wonder if it makes sense to reference nss_compat here?

Thanks,
Florian

Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename [and 1 more messages]

[Florian Weimer]

* Aurelien Jarno:

>> This doesn't seem correct to me.  Is there any documentation giving a
>> rationale for this ?  Is there a way to change this locally ?
>
> I do not know enough about apparmor and its threat model to know if it
> should be considered or not. From the glibc point of view, nothing can
> be really done, it just obeys the AT_SECURE flag passed by the kernel.
>
> Now looking at apparmor.d(5), it seems it *might* be controlled by the
> change_profile option with the safe and unsafe mode. But I don't speak
> apparmor fluently enough to actually know how to introduce that option
> in a profile.

I think LSMs can nowadays also express security transitions that trust
the execution environment, that is, that they add more restrictions
instead of increasing privileges.  I believe we use this with SELinux,
so that these transitions to do not cause AT_SECURE to be set.  Maybe
this is something that apparmor could do as well?

Thanks,
Florian