Am 08.02.20 um 12:57 schrieb Michael Ströder:
Security best practices mandate that you only have
enabled. Bear in mind that nss_ modules listed in /etc/nsswitch.conf get
linked into every process.
Thus I always remove unneeded stuff from nsswitch.conf, especially the
Well, and you do exactly the same in the future: by providing your own
nsswitch.conf, you override the defaults.
Nothing really changes.
Yes, today I can completely override the compile-time
/etc/nsswitch.conf. But I suspect that the other day somebody has this
great idea of making this impossible.
Has anybody spoken about "let's remove nsswitch.conf and just compile in
the only possible setup"? I have not read anything resembling this.
But instead of "shipping a default config file where you need to guess
at next update if it has been changed" I think that "do not ship a
default config file, but just set the defaults to what used to be in
this file" seems sensible, because then you know *if* there is a config
file, the admin has expressed his wishes -- and you can obey them.
Or warn with a postinst message that he needs to look because something
"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org