http://bugzilla.novell.com/show_bug.cgi?id=540966 User pbaudis@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=540966#c9 --- Comment #9 from Petr Baudis <pbaudis@novell.com> 2009-11-14 02:26:17 MST --- Now wait, in 11.1, nscd is still running as root, it was the change from nscd to unscd that caused this. nscd is a daemon that can be provided by two compatible implementations, glibc nscd and unscd; up to 11.1 we used glibc nscd, from 11.2 on we switched to unscd because the implementation is much simpler and more stable. It's like awk could be both gawk or mawk - multiple implementations share the same name. You are repeating things about attack surfaces and such, but you haven't pointed out _why_ does nscd running as root increase any risk, given its vital function in the system anyway. Heck, just make it resolve your username to uid 0 if you get control over it, and log in, and you are root anyway. It does not matter at all what user is nscd running on, if it breaks down the local security of the whole system is violated. Finally, the reason to run it as root is NIS. Normally, everything works as expected, but the special scenario is passwd.adjunct; this is special Sun invention that seems to pre-date shadow and is still in use at some places, a separate database that is to be interpolated with passwd to get passwords for users within nss_nis; normally, the NIS server will serve passwd.adjunct information only when originating port is <1024, which only nss_nis running as root can arrange; if nscd is not root, passwords don't appear in the passwd database and you can't log in anymore. Yes, the whole thing is fairly crappy from the security standpoint, but some users still use it, and MY WHOLE POINT is that this does not cost us anything since THIS DOES NOT INCREASE ANY RISKS, the risks are big enough already anyway - you need to specifically address this point if you want to argue further. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.