Somethings still up with new NSS?

Jacques A. Vidrine nectar at FreeBSD.org
Mon Apr 28 04:19:04 PDT 2003 

On Mon, Apr 28, 2003 at 05:55:21AM -0500, Jacques A. Vidrine wrote:
> I thought the relative dearth of critical bug reports so far was too
> good to be true :-)
> 
> Sounds like I have introduced a bug into `pwd_mkdb -u', which is the
> common denominator in your reports.  `passwd', `chsh', `pw' all use
> `pwd_mkdb -u', whereas vipw uses plain `pwd_mkdb'.
> 
> I will look at it closely today!
> 
> Meanwhile, if this happens to you, just run `vipw' or `pwd_mkdb' to
> rebuild your database.

Here's the scoop:

The NSS commit included changes to update the format of /etc/pwd.db
and /etc/spwd.db pre-processed passwd(5) files so that they could be
moved from architecture to architecture.  To enable compatibility with
old binaries, the format includes versioned entries.  (The `old version'
is version 3;  the `new version' is version 4.)

pwd_mkdb(8) rebuilds the databases from /etc/master.passwd.  This
utility can either rebuild the entire database, which is the default
behavior, or it can update only a single entry, which is the behavior
requested by the `-u' option.  passwd(1), chsh(1) and similar tools
use the `-u' option.

Now if you run `pwd_mkdb' built after the NSS commit, everything is
fine.  Version 3 and version 4 entries are created.  Your old and new
binaries will `see' all the users.

But, if you run `pwd_mkdb -u' BEFORE you rebuild the entire database
with plain `pwd_mkdb', the database will have version 3 entries for
all of your users, but only a version 4 entry for the single target
user.  Old binaries still function fine, but new binaries now `see'
that the database supports the new version 4 entries.  So, only the
single user that was updated is recognized.

So until I add logic to pwd_mkdb(8) to recognize and deal
appropriately with this situation, it is best to run pwd_mkdb once
manually after the NSS commit.

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se

More information about the freebsd-current mailing list