[ntp:security] [Bug 2960] upgrade to 4.2.8p4 causes FAIL at name resolution; error: ntpd[9881]: giving up resolving host clock.isc.org: Servname not supported for ai_socktype (-8)

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Feb 1 15:15:20 UTC 2016


--- Comment #18 from Reinhard Max <max at suse.com> 2016-02-01 15:15:20 UTC ---
I've stumbled over a trick that might help us to get around the problems that
NSS imposes on chroot: There is a private function in glibc called
__nss_disable_nscd() that is intended to be called by nscd (name service cache
daemon) to prevent it from contacting itself recursively. It is also already
being used by alternative nscd implementations such as unscd in busybox.

In addition to disabling the use of nscd by the calling process this function
also forces all nss libraries that are configured in /etc/nsswitch.conf to be
loaded immediately rather than lazily. So, calling it prior to chroot() and
spawning the processes should save us from having to know all those libraries
in order to copy them to the chroot environment, but any files needed by those
libraries at runtime still need to be copied.

This will probably also take some pressure from the race condition between
threads and chroot(), but I still think that one should get fixed as well.

I'll attach a patch to add this to 4.2.8p6.

BTW, this also has the potential of allowing the default for mlockall() on
Linux to be turned back on, because it would shift the allocation that broke
locking back to happen before the lock.

BTW2, I think this function should become part of the public glibc API, because
as we see here, disabling caching and enforcing the loading of nss libraries
has valid use cases outside of glibc and its associated tools.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list