I reviewed libnss-myhostname version 0.3-4 from the Raring archives.
This shouldn't be considered a full security audit, rather an indicator of
maintainability.
- libnss-myhostname adds a new nss module that can be added to nsswitch to
always provide local hostname<->IP lookups regardless the contents of
/etc/hosts
- No encryption
- No off-machine networking; will change results of nss-based lookups
- Relies upon netlink to retrieve address information for interfaces
- Does not run as a daemon; it is linked into every process that performs
nss lookups
- No PIE (library, fine), no Fortify (no functions used, fine), no
immediate biding (as dynamicly loaded library with few deps, fine)
- Stack protection, read-only relocations
- No initscripts, no dbus services, no setuid, no sudo fragments
- No spawned processes
- Careful memory management
- Careful data handling
- Warnings in build from autotools
- Warnings in build from failed inlining
It'd be nice to have the warnings fixed at some point, but this does not
block main inclusion.
I reviewed libnss-myhostname version 0.3-4 from the Raring archives.
This shouldn't be considered a full security audit, rather an indicator of
maintainability.
- libnss-myhostname adds a new nss module that can be added to nsswitch to
always provide local hostname<->IP lookups regardless the contents of
/etc/hosts
- No encryption
- No off-machine networking; will change results of nss-based lookups
- Relies upon netlink to retrieve address information for interfaces
- Does not run as a daemon; it is linked into every process that performs
nss lookups
- No PIE (library, fine), no Fortify (no functions used, fine), no
immediate biding (as dynamicly loaded library with few deps, fine)
- Stack protection, read-only relocations
- No initscripts, no dbus services, no setuid, no sudo fragments
- No spawned processes
- Careful memory management
- Careful data handling
- Warnings in build from autotools
- Warnings in build from failed inlining
It'd be nice to have the warnings fixed at some point, but this does not
block main inclusion.
ACK