#! /bin/sh -e

# DP: NSCD will cause forward/reverse lookups to be untrustworthy for
# DP: security. This patch disables host cache by default and places a
# DP: warning in the config file.

if [ $# -ne 2 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
    -patch) patch -d "$2" -f --no-backup-if-mismatch -p0 < $0;;
    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p0 < $0;;
    *)
	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
	exit 1
esac
exit 0

--- nscd/nscd.conf~	Sun Apr 28 11:29:50 2002
+++ nscd/nscd.conf	Sun Apr 28 11:31:25 2002
@@ -38,7 +38,11 @@
 	suggested-size		group		211
 	check-files		group		yes
 
-	enable-cache		hosts		yes
+# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
+# cache hosts will cause your local system to not be able to trust
+# forward/reverse lookup checks. DO NOT USE THIS if your system relies on
+# this sort of security mechanism. Use a caching DNS server instead.
+	enable-cache		hosts		no
 	positive-time-to-live	hosts		3600
 	negative-time-to-live	hosts		20
 	suggested-size		hosts		211