[ubuntu-hardened] Input on nsscache from a security perspective

Jeff Schroeder jeffschroed at gmail.com
Fri Jan 16 20:43:06 GMT 2009

On Fri, Jan 16, 2009 at 12:17 PM, Mathias Gug <mathiaz at ubuntu.com> wrote:
> Hi,
> I'd like to get the input of the security team on the nsscache project.
> nsscache is a Python library and a command line frontend to that library
> that synchronises a local NSS cache against a remote directory service,
> such as LDAP.
> Are there any problems or concerns with the overall idea and
> architecture? Is privacy an issue (ie having a copy of all uids/gids on a
> workstation)?

It isn't any less secure than /etc/passwd & /etc/shadow really. I've
seens ldap servers with anonymous binds enabled using cleartext with
no acls on the "userPassword" attribute. Thats the equivalent of
/etc/shadow being 0644. nsscache is a nifty hack to increase system
resilience. It is a great idea if you are worried about SPOF and don't
want to put +n ldap servers in each location behind an lb.

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-hardened mailing list