[v2] nss: Make nsswitch.conf more distribution friendly.

Message ID	f716a992-1fd8-5c32-4231-f034f7a8459f@redhat.com
State	New
Headers	show Return-Path: <libc-alpha-return-100761-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:cc:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=nTZo7+6KWnY6s8F0 zunk79zPdwWqSXEMQkn55SUMJrfhG6MOUJEGtTMDqCq0ywXP9QLwYwLvqL5pTtOi UpihPgzfUviv0EjKvyKe345+Fym5zww60YpuWncc9IH4UNb5B1QK27KRjlBprtH8 VVARmURncTR/WcFCGzvARKcu0AY= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org Subject: [PATCH v2] nss: Make nsswitch.conf more distribution friendly. To: Florian Weimer <fw@deneb.enyo.de> Cc: libc-alpha@sourceware.org, Aurelien Jarno <aurelien@aurel32.net>, Andreas Schwab <schwab@suse.de> References: <9303fad2-66ee-89e4-7433-395be089494e@redhat.com> <87h8bxv5wy.fsf@mid.deneb.enyo.de> From: Carlos O'Donell <codonell@redhat.com> Message-ID: <f716a992-1fd8-5c32-4231-f034f7a8459f@redhat.com> Date: Wed, 20 Mar 2019 16:07:14 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87h8bxv5wy.fsf@mid.deneb.enyo.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit
Series	[v2] nss: Make nsswitch.conf more distribution friendly. \| expand [v2] nss: Make nsswitch.conf more distribution friendly.

Message ID

f716a992-1fd8-5c32-4231-f034f7a8459f@redhat.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:cc:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=nTZo7+6KWnY6s8F0
	zunk79zPdwWqSXEMQkn55SUMJrfhG6MOUJEGtTMDqCq0ywXP9QLwYwLvqL5pTtOi
	UpihPgzfUviv0EjKvyKe345+Fym5zww60YpuWncc9IH4UNb5B1QK27KRjlBprtH8
	VVARmURncTR/WcFCGzvARKcu0AY=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
Subject: [PATCH v2] nss: Make nsswitch.conf more distribution friendly.
To: Florian Weimer <fw@deneb.enyo.de>
Cc: libc-alpha@sourceware.org, Aurelien Jarno <aurelien@aurel32.net>,
	Andreas Schwab <schwab@suse.de>
References: <9303fad2-66ee-89e4-7433-395be089494e@redhat.com>
	<87h8bxv5wy.fsf@mid.deneb.enyo.de>
From: Carlos O'Donell <codonell@redhat.com>
Message-ID: <f716a992-1fd8-5c32-4231-f034f7a8459f@redhat.com>
Date: Wed, 20 Mar 2019 16:07:14 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
	Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <87h8bxv5wy.fsf@mid.deneb.enyo.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Series

[v2] nss: Make nsswitch.conf more distribution friendly. | expand

Commit Message

Carlos O'Donell March 20, 2019, 8:07 p.m. UTC

On 3/20/19 12:58 PM, Florian Weimer wrote:
> * Carlos O'Donell:
> 
>> +# An example Name Service Switch config file. This file should be
>> +# sorted with the most-used services at the beginning.
> 
> The example file itself doesn't seem to follow this.

I noticed that netmasks, automount, and bootparams are not handled by
glibc, but listed in the nsswitch.conf. Are these handled by some other
application which parses /etc/nsswitch.conf? I'm not aware of any that
do so, and so I've removed them.

We never got around to implementing the accessor functions for them,
and only added publickey. I cleaned up the docs and referenced the info
docs from the default nsswitch.conf.

>> +#	ldap			Use LDAP directory server
> 
> Is the module really called ldap these days?  I it's ldapd.  ldap was
> the module that had an in-process LDAP client, which was kind of iffy.

Yes, this is the ldap module using nslcd.

rpm -qf /lib64/libnss_ldap.so
nss-pam-ldapd-0.9.9-4.fc29.x86_64

Description :
The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name
service information (users, groups, etc.) on behalf of a lightweight
nsswitch module.

It's the same name (unfortunately).

v2 follows.

8< --- 8< --- 8<

The current default nsswitch.conf file provided by glibc is not very
distribution friendly. The file contains some minimal directives that no
real distribution uses. This update aims to provide a rich set of
comments which are useful for all distributions, and a broader set of
service defines which should work for all distributions.

Tested defaults on x86_64 and they work. The nsswitch.conf file more
closely matches what we have in Fedora now, and I'll adjust Fedora to
use this version with minor changes to enable Fedora-specific service
providers.

v2
- Add missing databases to manual.
- Add link to manual from default nsswitch.conf.
- Sort nsswitch.conf according to most used database first.
---
  ChangeLog         |  5 +++
  manual/nss.texi   | 20 +++++++++---
  nss/nsswitch.conf | 81 +++++++++++++++++++++++++++++++++++++----------
  3 files changed, 85 insertions(+), 21 deletions(-)

Comments

Florian Weimer March 21, 2019, 8:55 a.m. UTC | #1

* Carlos O'Donell:

> On 3/20/19 12:58 PM, Florian Weimer wrote:
>> * Carlos O'Donell:
>> 
>>> +# An example Name Service Switch config file. This file should be
>>> +# sorted with the most-used services at the beginning.
>> 
>> The example file itself doesn't seem to follow this.
>
> I noticed that netmasks, automount, and bootparams are not handled by
> glibc, but listed in the nsswitch.conf. Are these handled by some other
> application which parses /etc/nsswitch.conf? I'm not aware of any that
> do so, and so I've removed them.
>
> We never got around to implementing the accessor functions for them,
> and only added publickey. I cleaned up the docs and referenced the info
> docs from the default nsswitch.conf.

I think we should only list what is actually implemented in glibc.

sudo uses /etc/nsswitch.conf for a custom database, too, if I recall
correctly.

This is possible because the glibc parser simply ignores unknown
entries.

> +# In order of most-used services first.
> +passwd:     files
> +group:      files
> +hosts:      files dns
> +networks:   files dns
> +initgroups: files
> +shadow:     files
> +gshadow:    files
> +netgroup:   files
> +services:   files
> +protocols:  files
> +ethers:     files
> +aliases:    files
> +rpc:        files
> +publickey:  files

I fear we can discuss this to death.  I would suggest alphabetic order
to avoid that.

I have no further comments on the patch.

Andreas Schwab March 21, 2019, 9:16 a.m. UTC | #2

On Mär 20 2019, Carlos O'Donell <codonell@redhat.com> wrote:

> I noticed that netmasks, automount, and bootparams are not handled by
> glibc, but listed in the nsswitch.conf. Are these handled by some other
> application which parses /etc/nsswitch.conf? I'm not aware of any that
> do so, and so I've removed them.

automount is used by autofs.

Andreas.

Carlos O'Donell March 25, 2019, 8:25 p.m. UTC | #3

On 3/21/19 5:16 AM, Andreas Schwab wrote:
> On Mär 20 2019, Carlos O'Donell <codonell@redhat.com> wrote:
> 
>> I noticed that netmasks, automount, and bootparams are not handled by
>> glibc, but listed in the nsswitch.conf. Are these handled by some other
>> application which parses /etc/nsswitch.conf? I'm not aware of any that
>> do so, and so I've removed them.
> 
> automount is used by autofs.

OK, good to know.

Are you OK with the removal of the automount reference in the manual?

diff --git a/ChangeLog b/ChangeLog
index 9889d21c85..9765ae0160 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@ 
+2019-03-20  Carlos O'Donell  <carlos@redhat.com>
+
+	* nss/nsswitch.conf: Expand comments, and simplify defaults.
+	* manual/nss.texi (NSS Basics): List all known databases.
+
  2019-03-19  Joseph Myers  <joseph@codesourcery.com>
  
  	* sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h (HWCAP_SB): New
diff --git a/manual/nss.texi b/manual/nss.texi
index 164ae33246..5df2f6254a 100644
--- a/manual/nss.texi
+++ b/manual/nss.texi
@@ -56,13 +56,17 @@  functions to access the databases.
  @noindent
  The databases available in the NSS are
  
+@cindex aliases
  @cindex ethers
  @cindex group
+@cindex gshadow
  @cindex hosts
+@cindex initgroups
  @cindex netgroup
  @cindex networks
-@cindex protocols
  @cindex passwd
+@cindex protocols
+@cindex publickey
  @cindex rpc
  @cindex services
  @cindex shadow
@@ -75,16 +79,22 @@  Ethernet numbers,
  @comment @pxref{Ethernet Numbers}.
  @item group
  Groups of users, @pxref{Group Database}.
+@item gshadow
+Group passphrase hashes and related information.
  @item hosts
  Host names and numbers, @pxref{Host Names}.
+@item initgroups
+Supplementary group access list.
  @item netgroup
  Network wide list of host and users, @pxref{Netgroup Database}.
  @item networks
  Network names and numbers, @pxref{Networks Database}.
-@item protocols
-Network protocols, @pxref{Protocols Database}.
  @item passwd
  User identities, @pxref{User Database}.
+@item protocols
+Network protocols, @pxref{Protocols Database}.
+@item publickey
+Public keys for Secure RPC.
  @item rpc
  Remote procedure call names and numbers.
  @comment @pxref{RPC Database}.
@@ -96,8 +106,8 @@  User passphrase hashes and related information.
  @end table
  
  @noindent
-There will be some more added later (@code{automount}, @code{bootparams},
-@code{netmasks}, and @code{publickey}).
+More may be added later (@code{automount}, @code{bootparams},
+and @code{netmasks}).
  
  @node NSS Configuration File, NSS Module Internals, NSS Basics, Name Service Switch
  @section The NSS Configuration File
diff --git a/nss/nsswitch.conf b/nss/nsswitch.conf
index 39ca88bf51..dc4de262dd 100644
--- a/nss/nsswitch.conf
+++ b/nss/nsswitch.conf
@@ -1,20 +1,69 @@ 
+#
  # /etc/nsswitch.conf
  #
-# Example configuration of GNU Name Service Switch functionality.
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
  #
+# Valid databases are: aliases, ethers, group, gshadow, hosts,
+# initgroups, netgroup, networks, passwd, protocols, publickey,
+# rpc, services, and shadow.
+#
+# Valid service provider entries include (in alphabetical order):
+#
+#	compat			Use /etc files plus *_compat pseudo-db
+#	db			Use the pre-processed /var/db files
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files in /etc
+#	hesiod			Use Hesiod (DNS) for user lookups
+#	nis			Use NIS (NIS version 2), also called YP
+#	nisplus			Use NIS+ (NIS version 3)
+#
+# See `info libc 'NSS Basics'` for more information.
+#
+# Commonly used alternative service providers (may need installation):
+#
+#	ldap			Use LDAP directory server
+#	myhostname		Use systemd host names
+#	mymachines		Use systemd machine names
+#	mdns*, mdns*_minimal	Use Avahi mDNS/DNS-SD
+#	resolve			Use systemd resolved resolver
+#	sss			Use System Security Services Daemon (sssd)
+#	systemd			Use systemd for dynamic user option
+#	winbind			Use SAMBA winbind support
+#	wins			Use SAMBA wins support
+#	wrapper			Use wrapper module for testing
+#
+# Notes:
+#
+# 'sssd' performs its own 'files'-based caching, so it should generally
+# come before 'files'.
+#
+# WARNING: Running nscd with a secondary caching service like sssd may
+# 	   lead to unexpected behaviour, especially with how long
+# 	   entries are cached.
+#
+# Installation instructions:
+#
+# To use 'db', install the appropriate package(s) (provide 'makedb' and
+# libnss_db.so.*), and place the 'db' in front of 'files' for entries
+# you want to be looked up first in the databases, like this:
+#
+# passwd:    db files
+# shadow:    db files
+# group:     db files
  
-passwd:		db files
-group:		db files
-initgroups:	db [SUCCESS=continue] files
-shadow:		db files
-gshadow:	files
-
-hosts:		files dns
-networks:	files dns
-
-protocols:	db files
-services:	db files
-ethers:		db files
-rpc:		db files
-
-netgroup:	db files
+# In order of most-used services first.
+passwd:     files
+group:      files
+hosts:      files dns
+networks:   files dns
+initgroups: files
+shadow:     files
+gshadow:    files
+netgroup:   files
+services:   files
+protocols:  files
+ethers:     files
+aliases:    files
+rpc:        files
+publickey:  files

[v2] nss: Make nsswitch.conf more distribution friendly.

Commit Message

Comments

Patch