Trying to think out a hack for NSS and pw(8)

Poul-Henning Kamp phk at
Fri Sep 9 20:18:30 UTC 2016

In message <22483.5592.653250.726711 at>, Garrett Wollman w

> Puppet invokes pw(8) to actually perform the
>modifications, but I suspect it also uses native code from the Ruby
>standard library to actually do pre-modification lookups.
>Looking at the code in both nss-pam-ldapd and libc, it seems like the
>only plausible way to fix this is to add functionality to nsswitch
>which would allow it to use different configurations depending on the
>identity of the process invoking getpwnam(3) or getgrnam(3).

You want to add a futher layer of complications to the the already
far too complicated user/group/authentication code in FreeBSD,
just because you don't want to look at Puppets Ruby code ?

Really ?

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the freebsd-security mailing list