Ubuntu
glibc package

nscd ignores /etc/hosts

Bug #62020 reported by Matthias Urlichs
4
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

My /etc/hosts contains the entry
192.109.102.54 mac.urlichs.noris.de

My /etc/nsswitch.conf contains the entry
hosts: files dns

I would expect that starting nscd, or not, would not have any effect except performance. This log clearly shows otherwise.

The security implication is that entries in /etc/hosts may be necessary to override information in the DNS which the local admin assumes (or, worse, knows) to be unreliable and/or wrong. If these host names are also used in ACLs, ignoring /etc/hosts may thus allow access from hosts which ordinarily would be forbidden.

# /etc/init.d/nscd stop
Stopping Name Service Cache Daemon: nscd.
# ping -c1 mac.urlichs.noris.de
PING mac.urlichs.noris.de (192.109.102.54) 56(84) bytes of data.
64 bytes from mac.urlichs.noris.de (192.109.102.54): icmp_seq=1 ttl=64 time=0.418 ms

--- mac.urlichs.noris.de ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.418/0.418/0.418/0.000 ms
# /etc/init.d/nscd start
Starting Name Service Cache Daemon: nscd.
# ping -c1 mac.urlichs.noris.de
PING mac.urlichs.noris.de (213.95.17.43) 56(84) bytes of data.

--- mac.urlichs.noris.de ping statistics ---
0 packets transmitted, 0 received

# /etc/init.d/nscd stop
Stopping Name Service Cache Daemon: nscd.
# ping -c1 mac.urlichs.noris.de
PING mac.urlichs.noris.de (192.109.102.54) 56(84) bytes of data.
64 bytes from mac.urlichs.noris.de (192.109.102.54): icmp_seq=1 ttl=64 time=0.396 ms

--- mac.urlichs.noris.de ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.396/0.396/0.396/0.000 ms

Tags: nscd
Revision history for this message
Matt Zimmerman (mdz) wrote :

This seems clearly a but, but I think that it's a stretch to consider this a security vulnerability

Revision history for this message
Luis Mondesi (lemsx1) wrote :

Assuming that your nsswitch.conf is set correctly to cache /etc/hosts (hosts db), you need to reload NSCD for this to be cached:

/etc/init.d/nscd reload

or you can wait until it times out.

I think this bug should be closed.

Revision history for this message
Matthias Urlichs (smurf) wrote :

LuisM: Please read and understand the bug report before posting answers. Thank you.

NB, in gutsy this has been "fixed" by defaulting the host cache to off.

Anyway, I just found the problem, which is that nscd has a cache which the init script does not delete.

>>> rm -rf /var/db/nscd/*

Patch wil follow.

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Matthias - Is this still an issue?

Thanks

Changed in glibc:
status: New → Incomplete
Revision history for this message
Magnus S (magnuss) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in glibc:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.