This amount of users needs a lot of tuning and i think installing a program like NSCD is or should be part of that tuning. I personaly run SuSE on a web-servers and have NSCD turned of. The reason is that i only read difficulties of NSCD and every pogram adds a security risc.
Am I the only one for which NSCD creates problems with slow nameservers? As in: - Issue the command: "ping www.somestrangedomainname.com" - my DNS has to lookup the address from a far/slow DNS and doesn't reply before timeout - ping replies host unknown - NSCD caches the host unknown error - another ping returns error again for some time - "/etc/rc.d/nscd stop" (sorry for the RedHat-ism :) - "ping www.somestrangedomainname.com" - this times it's OK. I can easily imagine a lot of people that just installed linux being lost, and rebooting their machine to see "if it works this way". And the worst part is, it does work after the reboot... Someone should have a talk with the glib/nsdc people ;-) Ciao, Roberto.
Hi,
- NSCD caches the host unknown error
I can easily imagine a lot of people that just installed linux being lost, and rebooting their machine to see "if it works this way". And the worst
And more problems with it. In at.linux one had a problem adding a user (with useradd, manually ...) - always got "unkwnown user", until he stopped nscd. This program is broken. It doesn't recognise changes on files it's caching. part is, it
does work after the reboot...
Yes, that's the problem. There are many beginners starting with SuSE and have immediately troubles because of nscd. If experienced sysops with 1000+ users want it, they can turn it on manually, the default should be off.
Someone should have a talk with the glib/nsdc people ;-)
and with the guys that put together a distri and start every possible service/daemon as default. (this regarding security ;-)
Ciao, Roberto.
merry X-Mas leo
I can easily imagine a lot of people that just installed linux being lost, and rebooting their machine to see "if it works this way". And the worst part is, it does work after the reboot...
Someone should have a talk with the glib/nsdc people ;-)
This has been taken care of ini the design already. Take a look at /etc/nscd.conf, starting with SuSE-6.4 or 7.0 (don't know exactly) there is a line like enable-cache hosts no This turns off that feature completely. It may make sense! negative-time-to-live hosts 20 This makes that "host not found" for that entry doesn't get older than 20 seconds.
Ciao, Roberto.
Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
Quoting Roman Drahtmueller (draht@suse.de) on Fri, Dec 22, 2000 at 02:30:01PM +0100:
I can easily imagine a lot of people that just installed linux being lost, and rebooting their machine to see "if it works this way". And the worst part is, it does work after the reboot...
Someone should have a talk with the glib/nsdc people ;-)
This has been taken care of ini the design already. Take a look at /etc/nscd.conf, starting with SuSE-6.4 or 7.0 (don't know exactly) there
Hmm, that still doesn't fix all the nasty other effects with UIDs. At my previous employer (a German Linux company) I used to disable NSCD on all systems I ever configured. My colleagues did or still do the same (Hi MGE!). So far it only made sense to enable nscd on systems with network authentication (NIS, LDAP). cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!
Hi Andreas,
Hmm, that still doesn't fix all the nasty other effects with UIDs. At my previous employer (a German Linux company) I used to disable NSCD on all systems I ever configured. My colleagues did or still do the same (Hi MGE!). So far it only made sense to enable nscd on systems with network authentication (NIS, LDAP).
Right, I remember! There was something else: If you have two users with the same numerical userid, the nscd would gratefully return the second one instead of the first one. This happens because the cache is built that way. It may even have security implications...
cheers afx
Take care and have a happy new year! Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
I have had this problem with an ISP I started. Seems like nscd just bites it after it starts taking a healthy amount of hits. That with its slow performance has made me remove it from all of our servers. Cliff On Fri, 22 Dec 2000 r.maurizzi@gvs.it wrote:
This amount of users needs a lot of tuning and i think installing a program like NSCD is or should be part of that tuning. I personaly run SuSE on a web-servers and have NSCD turned of. The reason is that i only read difficulties of NSCD and every pogram adds a security risc.
Am I the only one for which NSCD creates problems with slow nameservers? As in:
- Issue the command: "ping www.somestrangedomainname.com" - my DNS has to lookup the address from a far/slow DNS and doesn't reply before timeout - ping replies host unknown - NSCD caches the host unknown error - another ping returns error again for some time - "/etc/rc.d/nscd stop" (sorry for the RedHat-ism :) - "ping www.somestrangedomainname.com" - this times it's OK.
I can easily imagine a lot of people that just installed linux being lost, and rebooting their machine to see "if it works this way". And the worst part is, it does work after the reboot...
Someone should have a talk with the glib/nsdc people ;-)
Ciao, Roberto.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (5)
-
Andreas Siegert -
Cliff Friedel -
Leopold Toetsch -
r.maurizzi@gvs.it -
Roman Drahtmueller