Zbigniew Jędrzejewski-Szmek wrote on 27/07/14 18:09: > On Sun, Jul 27, 2014 at 05:54:15AM -0700, Kay Sievers wrote: >> factory/etc/nsswitch.conf | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> New commits: >> commit ccc6fa0d6b8e3ce5e7508ee8a141ee26f380b4a3 >> Author: Kay Sievers <k...@vrfy.org> >> Date: Sun Jul 27 14:53:21 2014 +0200 >> >> factory: nss - add generic config >> >> diff --git a/factory/etc/nsswitch.conf b/factory/etc/nsswitch.conf >> new file mode 100644 >> index 0000000..5f2984e >> --- /dev/null >> +++ b/factory/etc/nsswitch.conf >> @@ -0,0 +1,6 @@ >> +# This file is part of systemd. >> + >> +passwd: files >> +shadow: files >> +group: files >> +hosts: files mymachines resolve myhostname > Hi Kay, > > I know that traditionally myhostname is added at the end.
Oh, crap. I just realised that all my setups have myhostname before dns. Oops! > But local > configuration should be more trusted than DNS (*). It is also more > trusted then guest machines. So imho the right order is > > files myhostname mymachines resolve That would match my natural assumption (i.e. I saw myhostname as a replacement for putting static, but expected, definitions in /etc/hosts) so glad I'm not venturing too far off the reservation :p > (*) One specific example that I've encountered is when local DNS is > tied with DHCP server, and registers names automatically. Then a > misconfiguration of the DNS server is likely, and it wreaks havoc. > Common examples starting to resolve 'localhost' when a computer without > a hostname configured (and thus using localhost.localdomain as the fqdn) > acquired an address, or resolving the name of a computer to the address > of previous lease. > > Also, since DNS is not (usually) secure against attack over the local > network, by giving DNS higher priority, we open up an attack vector > where 'localhost' can be spoofed to refer to a different machine, even > with a correctly functioning server. There's no valid reason to make > the resolution of localhost* names configurable through DNS, so we may > just as well do it locally for speed and robustness. The same logic > is true for the other names returned by myhostname. Seems sensible to me but will be interested to hear if there is a counter argument. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
