Bug 9538 - nscd runs as root, and any user can crash it
Summary: nscd runs as root, and any user can crash it
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nscd
Version: 6.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-02-18 01:02 UTC by wingc
Modified: 2008-05-01 15:37 UTC (History)
0 users

Clone Of:
Last Closed: 2000-07-16 17:12:01 UTC

Attachments (Terms of Use)

Description wingc 2000-02-18 01:02:14 UTC
There are a few bugs in the nscd program included with glibc 2.1:

- the default action for a nscd request if the request type is unknown is
to abort(). As far as I can tell, this means that anyone can crash the nscd
daemon by sending a request with a type that nscd does not understand.

- nscd does not call setsid() when starting up as a daemon. This means that
if root logs in and starts it, nscd will hold onto that controlling TTY
until it is hung up.

- nscd runs as root. This isn't necessary. It would be nice if it could be
run as its own unprivileged user.

I have a patch that implements fixes for all three of these:


Adding the following %post/%preun scripts to the glibc spec file will
create the nscd user that would be needed to run nscd as non-root:

%post -n nscd
/sbin/chkconfig --add nscd
/usr/sbin/useradd -c "nscd caching daemon" \
	-s /bin/false -r -d / nscd 2>/dev/null

%preun -n nscd
if [ $1 = 0 ] ; then
    /sbin/chkconfig --del nscd
    /usr/sbin/userdel nscd 2>/dev/null
    /usr/sbin/groupdel nscd 2>/dev/null

I've sent these suggestions to the author of nscd but haven't received a
response yet.


Chris Wing

Comment 1 Cristian Gafton 2000-05-22 15:41:59 UTC
assigned to jakub

Comment 2 Pekka Savola 2000-07-16 17:11:59 UTC
Still an issue w/ nscd-2.1.91-2 from Rawhide.

Comment 3 Jakub Jelinek 2000-08-24 07:36:23 UTC
Fixed in glibc-2.1.92

Note You need to log in before you can comment on or make changes to this bug.