blob: 68ae2264483542f403566da23e53e5eecbeaa582 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 7a27556920fe1feefd17096841c8f3ca1294a1b3 Mon Sep 17 00:00:00 2001
From: Yuri Nesterov <yuriy.nesterov@unikie.com>
Date: Wed, 21 Jun 2023 17:17:38 +0300
Subject: [PATCH] timesyncd: disable NSCD when DNSSEC validation is disabled
Systemd-timesyncd sets SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file
to disable DNSSEC validation but it doesn't work when NSCD is used in
the system. This patch disabes NSCD in systemd-timesyncd when
SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
directly.
---
src/timesync/timesyncd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index 1d8ebecc91..2b0ae361ff 100644
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -21,6 +21,11 @@
#include "timesyncd-conf.h"
#include "timesyncd-manager.h"
#include "user-util.h"
+#include "env-util.h"
+
+struct traced_file;
+extern void __nss_disable_nscd(void (*)(size_t, struct traced_file *));
+static void register_traced_file(size_t dbidx, struct traced_file *finfo) {}
static int advance_tstamp(int fd, const struct stat *st) {
assert_se(fd >= 0);
@@ -198,6 +203,12 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return log_error_errno(r, "Failed to parse fallback server strings: %m");
+ r = getenv_bool_secure("SYSTEMD_NSS_RESOLVE_VALIDATE");
+ if (r == 0) {
+ log_info("Disabling NSCD because DNSSEC validation is turned off");
+ __nss_disable_nscd(register_traced_file);
+ }
+
log_debug("systemd-timesyncd running as pid " PID_FMT, getpid_cached());
notify_message = notify_start("READY=1\n"
--
2.34.1
|