From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CJF0H9UaX1/oCgAA0tVLHw (envelope-from ) for ; Mon, 14 Sep 2020 07:25:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OBbAGdUaX1/rHQAAB5/wlQ (envelope-from ) for ; Mon, 14 Sep 2020 07:25:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2A604940390 for ; Mon, 14 Sep 2020 07:25:09 +0000 (UTC) Received: from localhost ([::1]:43060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kHirM-0003Vv-2t for larch@yhetil.org; Mon, 14 Sep 2020 03:25:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50846) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kHirH-0003Tm-6q for guix-patches@gnu.org; Mon, 14 Sep 2020 03:25:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40820) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kHirG-0002mH-SZ for guix-patches@gnu.org; Mon, 14 Sep 2020 03:25:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kHirG-0001n7-Po for guix-patches@gnu.org; Mon, 14 Sep 2020 03:25:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43371] [PATCH] doc: prevent host/container nscd mismatch Resent-From: Edouard Klein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 14 Sep 2020 07:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43371 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 43371@debbugs.gnu.org, conjaroy , 41575@debbugs.gnu.org Received: via spool by 43371-submit@debbugs.gnu.org id=B43371.16000682976865 (code B ref 43371); Mon, 14 Sep 2020 07:25:02 +0000 Received: (at 43371) by debbugs.gnu.org; 14 Sep 2020 07:24:57 +0000 Received: from localhost ([127.0.0.1]:52365 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHirB-0001mZ-FJ for submit@debbugs.gnu.org; Mon, 14 Sep 2020 03:24:57 -0400 Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17183) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kHir7-0001mK-5B; Mon, 14 Sep 2020 03:24:56 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1600068287; cv=none; d=zohomail.com; s=zohoarc; b=KARaXUHC/Th3UaELEKT/Oc8LctrXxWb+xrj3c0ai01etZYzWZYZOZlRGwYAQllHsSbO4g//Js7pTK8pAXE5VpPG/iY5Twe3ldentgAJGUlwKyNDFDLv+5OmImTRz63zoY2MpgfPcYx942KYHE+tO4JdjJGYGjcmaNz3t81kiXpw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1600068287; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=WUZvGvr8bQjScpZLdl/HzjNBd6FNCmco/87g+jHpg+M=; b=eLTIaGqIq5fVAC0n6O5x+DHyUO5e9oGWQYB2VhUXAjz+ddrMUkzQHGpt/vSgloRHqgS3GzBJAOme+/Wil7bYo49pgMHZO5ni8NkuomWD684ePMog+WhF5WpXLMPPf+tAmGY27XX1ZjhxffZQk7q1tfcwsjv9ekxHex8cE/mna/E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rdklein.fr; spf=pass smtp.mailfrom=edou@rdklein.fr; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1600068287; s=zoho; d=rdklein.fr; i=edou@rdklein.fr; h=References:From:To:Cc:Subject:In-reply-to:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=WUZvGvr8bQjScpZLdl/HzjNBd6FNCmco/87g+jHpg+M=; b=S0NEAvF04CeHSEWEDZtgpxNEYonw4Un32hK+/nOFpGJHtlagiP9QEtHdhL6kgCd2 Tn1bn23E+7yOU+GeMNUdMZeJw8AUrQ0xRPTxmpujmBbY4Z4f54rThNH0UTvescWDf08 09OTq7PqeMrQSUZ/p7TIr2HJchzGEpcaaUc6se4k= Received: from Rasoir (lfbn-idf3-1-1319-142.w92-170.abo.wanadoo.fr [92.170.248.142]) by mx.zohomail.com with SMTPS id 1600068285214802.4436076871384; Mon, 14 Sep 2020 00:24:45 -0700 (PDT) References: <87lfhet1d2.fsf@rdklein.fr> <87y2ld9ym2.fsf@gnu.org> User-agent: mu4e 1.4.4; emacs 27.1 From: Edouard Klein In-reply-to: <87y2ld9ym2.fsf@gnu.org> Message-ID: <87tuw0ddn3.fsf@rdklein.fr> Date: Mon, 14 Sep 2020 09:24:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none (invalid DKIM record) header.d=rdklein.fr header.s=zoho header.b=S0NEAvF0; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 0.99 X-TUID: 9MZnHIVyA2Sr Hi ! Ludovic Court=C3=A8s writes: > Hi, > > edk@beaver-labs.com skribis: > >> doc/guix.texi: (Name Service Switch) add a workaround for bug #41575 >> --- >> doc/guix.texi | 16 +++++++++++++++- >> 1 file changed, 15 insertions(+), 1 deletion(-) >> >> diff --git a/doc/guix.texi b/doc/guix.texi >> index a6e14ea177..a9472e680e 100644 >> --- a/doc/guix.texi >> +++ b/doc/guix.texi >> @@ -1706,6 +1706,20 @@ this binary incompatibility problem because those= @code{libnss_*.so} >> files are loaded in the @command{nscd} process, not in applications >> themselves. >>=20=20 >> +For applications running in containers (@pxref{Invokin guix container}), >> +however, @code{nscd} may leak information from the host to the containe= r. >> +If there is a configuration mismatch between the two ---e.g., the host >> +has no @code{sshd} user while the container needs one--- then it may be > > I find the example is hard to understand. How about: =E2=80=9Capplicatio= ns in > the container could end up looking users in the host=E2=80=9D? > >> +worthwhile to limit which kind of information the host's @code{nscd} >> +daemon may give to the container by adding the following to >> +@code{/etc/nscd.conf}. >> + >> +@example >> + enable-cache passwd no >> + enable-cache group no >> + enable-cache netgroup no >> +@end example > > Actually, perhaps the better fix is to never use the host=E2=80=99s nscd?= We > could change =E2=80=98containerized-operating-system=E2=80=99 accordingly. > I think this would be best, but I did not know where to make this change, so I just edited the doc instead. I don't know if containers need the host's nscd to avoid the libc issues mentionned in the doc, but if they dont, then prevening them from accessing the host's nscd seems logical and would solve the problem. And we wouldn't need to amend the doc at all. > That would allow guest OSes to work correctly regardless of the host=E2= =80=99s > nscd config, which seems like an improvement. > > Thoughts? > > Ludo=E2=80=99.