tjh.dev
1From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2From: Yuri Nesterov <yuriy.nesterov@unikie.com>
3Date: Wed, 21 Jun 2023 17:17:38 +0300
4Subject: [PATCH] timesyncd: disable NSCD when DNSSEC validation is disabled
5
6Systemd-timesyncd sets SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file
7to disable DNSSEC validation but it doesn't work when NSCD is used in
8the system. This patch disabes NSCD in systemd-timesyncd when
9SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
10directly.
11---
12 src/timesync/timesyncd.c | 11 +++++++++++
13 1 file changed, 11 insertions(+)
14
15diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
16index d002501d29..9b835dc031 100644
17--- a/src/timesync/timesyncd.c
18+++ b/src/timesync/timesyncd.c
19@@ -23,6 +23,11 @@
20 #include "timesyncd-conf.h"
21 #include "timesyncd-manager.h"
22 #include "user-util.h"
23+#include "env-util.h"
24+
25+struct traced_file;
26+extern void __nss_disable_nscd(void (*)(size_t, struct traced_file *));
27+static void register_traced_file(size_t dbidx, struct traced_file *finfo) {}
28
29 static int advance_tstamp(int fd, usec_t epoch) {
30 assert(fd >= 0);
31@@ -201,6 +206,12 @@ static int run(int argc, char *argv[]) {
32 if (r < 0)
33 return log_error_errno(r, "Failed to parse fallback server strings: %m");
34
35+ r = secure_getenv_bool("SYSTEMD_NSS_RESOLVE_VALIDATE");
36+ if (r == 0) {
37+ log_info("Disabling NSCD because DNSSEC validation is turned off");
38+ __nss_disable_nscd(register_traced_file);
39+ }
40+
41 log_debug("systemd-timesyncd running as pid " PID_FMT, getpid_cached());
42
43 notify_message = notify_start("READY=1\n"