Am 08.02.20 um 12:57 schrieb Michael Ströder:
Security best practices mandate that you only have needed functionality enabled. Bear in mind that nss_ modules listed in /etc/nsswitch.conf get linked into every process.
Thus I always remove unneeded stuff from nsswitch.conf, especially the nis module.
Well, and you do exactly the same in the future: by providing your own nsswitch.conf, you override the defaults. Nothing really changes.
Yes, today I can completely override the compile-time defaults with /etc/nsswitch.conf. But I suspect that the other day somebody has this great idea of making this impossible.
Has anybody spoken about "let's remove nsswitch.conf and just compile in the only possible setup"? I have not read anything resembling this. But instead of "shipping a default config file where you need to guess at next update if it has been changed" I think that "do not ship a default config file, but just set the defaults to what used to be in this file" seems sensible, because then you know *if* there is a config file, the admin has expressed his wishes -- and you can obey them. Or warn with a postinst message that he needs to look because something changed. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org