Bug#880846: debian-installer: compat is not suitable as the default in /etc/nsswitch.conf
Package: debian-installer
Severity: minor
https://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/amd64/iso-cd/
I just did an install from the image downloaded from the above URL using
debootstrap. I'm not sure if this bug applies to debian-installed,
debootstrap, or both.
When I installed it the /etc/nsswitch.conf file had the following entries:
passwd: compat
group: compat
shadow: compat
According to nsswitch.conf(5) the "compat" line is to enable entries that
start with "+" or "-" for special NIS operations.
The benefit in having compat as the default is minor even for the tiny minority
of users who have NIS enabled. Putting in compat entries in /etc/nsswitch.conf
is a tiny part of the work required to enable NIS. I don't think that people
who use NIS would find it an inconvenience to have "files" as the default.
Currently we are having a discussion on the SE Linux policy mailing list about
the permission for memory mapping files. /lib/libnss_compat.so.X needs to
map them which means that most domains need map access to etc_t while
/lib/libnss_files.so.X doesn't map them and doesn't need such access.
By default I advocate for changing SE Linux policy rather than changing system
configuration. But in this case I can't see any downside in making the default
to use "files". Having less complex parsing of those files seems like a good
benefit too. As a general rule less complex code will tend to have fewer
security issues.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: