nss: Use "files dns" as the default for the hosts database (bug 28700)

  This matches what is currently in nss/nsswitch.conf.  The new ordering
matches what most distributions use in their installed configuration
files.

It is common to add localhost to /etc/hosts because the name does not
exist in the DNS, but is commonly used as a host name.

With the built-in "dns [!UNAVAIL=return] files" default, dns is
searched first and provides an answer for "localhost" (NXDOMAIN).
We never look at the files database as a result, so the contents of
/etc/hosts is ignored.  This means that "getent hosts localhost"
fail without a /etc/nsswitch.conf file, even though the host name
is listed in /etc/hosts.

Tested on i686-linux-gnu and x86_64-linux-gnu.

Thanks,
Florian
---
 manual/nss.texi    | 5 ++---
 nss/XXX-lookup.c   | 2 +-
 nss/nss_database.c | 4 ++--
 3 files changed, 5 insertions(+), 6 deletions(-)
  

On 12/15/21 13:33, Florian Weimer via Libc-alpha wrote:
> This matches what is currently in nss/nsswitch.conf.  The new ordering
> matches what most distributions use in their installed configuration
> files.
> 
> It is common to add localhost to /etc/hosts because the name does not
> exist in the DNS, but is commonly used as a host name.
> 
> With the built-in "dns [!UNAVAIL=return] files" default, dns is
> searched first and provides an answer for "localhost" (NXDOMAIN).
> We never look at the files database as a result, so the contents of
> /etc/hosts is ignored.  This means that "getent hosts localhost"
> fail without a /etc/nsswitch.conf file, even though the host name
> is listed in /etc/hosts.
> 
> Tested on i686-linux-gnu and x86_64-linux-gnu.

This is a no-brainer IMO. And files and dns are *builtin* to glibc so the
builtin default using only builtin modules is a great default IMO. There
will be no further dlopens required to handle IdM queries via NSS.

Please note that the linux man pages still show:
	hosts:          dns [!UNAVAIL=return] files
as an example, and it would be kind to send Michael Kerrisk a patch for this.

I expect most downstream distributions have never seen this because they ship
with a modified /etc/nsswitch.conf that the distribution owns. I expect the
experimentation we're seeing upstream in this area to become more and more
common. The defaults should make sense for modern systems. The builtin was
something I reviewed when we did the NSS reloading work and it struck me as
odd that it was dns first.

LGTM.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

 
> Thanks,
> Florian
> ---
>  manual/nss.texi    | 5 ++---
>  nss/XXX-lookup.c   | 2 +-
>  nss/nss_database.c | 4 ++--
>  3 files changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/manual/nss.texi b/manual/nss.texi
> index 3aaa7786f8..524d22ad1e 100644
> --- a/manual/nss.texi
> +++ b/manual/nss.texi
> @@ -324,9 +324,8 @@ missing.
>  
>  @cindex default value, and NSS
>  For the @code{hosts} and @code{networks} databases the default value is
> -@code{dns [!UNAVAIL=return] files}.  I.e., the system is prepared for
> -the DNS service not to be available but if it is available the answer it
> -returns is definitive.
> +@code{files dns}.  I.e., local configuration will override the contents
> +of the domain name system (DNS).

OK.

>  
>  The @code{passwd}, @code{group}, and @code{shadow} databases was
>  traditionally handled in a special way.  The appropriate files in the
> diff --git a/nss/XXX-lookup.c b/nss/XXX-lookup.c
> index 302c6361e0..e129f699fa 100644
> --- a/nss/XXX-lookup.c
> +++ b/nss/XXX-lookup.c
> @@ -28,7 +28,7 @@
>  |* ALTERNATE_NAME - name of another service which is examined in   *|
>  |*                  case DATABASE_NAME is not found                *|
>  |* 								   *|
> -|* DEFAULT_CONFIG - string for default conf (e.g. "dns files")	   *|
> +|* DEFAULT_CONFIG - string for default conf (e.g. "files dns")	   *|

OK.

>  |* 								   *|
>  \*******************************************************************/
>  
> diff --git a/nss/nss_database.c b/nss/nss_database.c
> index ab121cb371..54561f0328 100644
> --- a/nss/nss_database.c
> +++ b/nss/nss_database.c
> @@ -80,7 +80,7 @@ enum nss_database_default
>  {
>   nss_database_default_defconfig = 0, /* "nis [NOTFOUND=return] files".  */
>   nss_database_default_compat, /* "compat [NOTFOUND=return] files".  */
> - nss_database_default_dns,    /* "dns [!UNAVAIL=return] files".  */
> + nss_database_default_dns,    /* "files dns".  */

OK.

>   nss_database_default_files,    /* "files".  */
>   nss_database_default_nis,    /* "nis".  */
>   nss_database_default_nis_nisplus,    /* "nis nisplus".  */
> @@ -133,7 +133,7 @@ nss_database_select_default (struct nss_database_default_cache *cache,
>  #endif
>  
>      case nss_database_default_dns:
> -      line = "dns [!UNAVAIL=return] files";
> +      line = "files dns";

OK.

>        break;
>  
>      case nss_database_default_files:
>
  

I wonder if it would make sense to have a built-in "localhost" module
for nss, so we could use "localhost dns [[!UNAVAIL=return] files" as the
internal default *just* to solve the localhost problem?  Or call it
"internaldb" so its purpose is obvious?

That would guarantee that if we have to resort to defaults, we resort to
defaults that work.

Anything that manages nsswitch would provide something to resolve
localhost externally too, as usual.
  

* DJ Delorie:

> I wonder if it would make sense to have a built-in "localhost" module
> for nss, so we could use "localhost dns [[!UNAVAIL=return] files" as the
> internal default *just* to solve the localhost problem?  Or call it
> "internaldb" so its purpose is obvious?
>
> That would guarantee that if we have to resort to defaults, we resort to
> defaults that work.
>
> Anything that manages nsswitch would provide something to resolve
> localhost externally too, as usual.

The tricky aspect here is the exact meaning of localhost on dual-host
systems.  I'm not sure how much variance there is in practice, though.

Thanks,
Florian