Red Hat Bugzilla – Bug 9538
nscd runs as root, and any user can crash it
Last modified: 2008-05-01 11:37:54 EDT
There are a few bugs in the nscd program included with glibc 2.1:
- the default action for a nscd request if the request type is unknown is
to abort(). As far as I can tell, this means that anyone can crash the nscd
daemon by sending a request with a type that nscd does not understand.
- nscd does not call setsid() when starting up as a daemon. This means that
if root logs in and starts it, nscd will hold onto that controlling TTY
until it is hung up.
- nscd runs as root. This isn't necessary. It would be nice if it could be
run as its own unprivileged user.
I have a patch that implements fixes for all three of these:
Adding the following %post/%preun scripts to the glibc spec file will
create the nscd user that would be needed to run nscd as non-root:
%post -n nscd
/sbin/chkconfig --add nscd
/usr/sbin/useradd -c "nscd caching daemon" \
-s /bin/false -r -d / nscd 2>/dev/null
%preun -n nscd
if [ $1 = 0 ] ; then
/sbin/chkconfig --del nscd
/usr/sbin/userdel nscd 2>/dev/null
/usr/sbin/groupdel nscd 2>/dev/null
I've sent these suggestions to the author of nscd but haven't received a
assigned to jakub
Still an issue w/ nscd-2.1.91-2 from Rawhide.
Fixed in glibc-2.1.92