Trying to think out a hack for NSS and pw(8)
kaduk at MIT.EDU
Sat Sep 10 06:01:49 UTC 2016
On Fri, 9 Sep 2016, Garrett Wollman wrote:
> Presently, we have a bunch of machines under configuration management
> (using Puppet, but that's not really relevant here). I'm hoping to
> implement LDAP via nsswitch on these machines, but I've run into an
> issue: the standard getpw*(3) mechanisms can't tell the difference
> between users or groups in the local databases and those in the remote
> LDAP database. We need Puppet to manage entries for users and groups
> in the local database, without respect to what entries might be
> imported from LDAP (because they are supposed to override the data
> returned by LDAP). Puppet invokes pw(8) to actually perform the
> modifications, but I suspect it also uses native code from the Ruby
> standard library to actually do pre-modification lookups.
> Looking at the code in both nss-pam-ldapd and libc, it seems like the
> only plausible way to fix this is to add functionality to nsswitch
> which would allow it to use different configurations depending on the
> identity of the process invoking getpwnam(3) or getgrnam(3). Does
> anyone have opinions on how this ought to be implemented, or indeed
> how it could be implemented securely?
It's a bit late here, but it sounds kind of like you want to be able to
set NSS_NONLOCAL_IGNORE [and have it do something useful]?
Unfortunately, I never got far enough in trying to port Athena to FreeBSD
to have looked at how portable nss_nonlocal is. But it is probably worth
looking at, for your case.
More information about the freebsd-security