Trying to think out a hack for NSS and pw(8)

Benjamin Kaduk kaduk at MIT.EDU
Sat Sep 10 06:01:49 UTC 2016

On Fri, 9 Sep 2016, Garrett Wollman wrote:

> Presently, we have a bunch of machines under configuration management
> (using Puppet, but that's not really relevant here).  I'm hoping to
> implement LDAP via nsswitch on these machines, but I've run into an
> issue: the standard getpw*(3) mechanisms can't tell the difference
> between users or groups in the local databases and those in the remote
> LDAP database.  We need Puppet to manage entries for users and groups
> in the local database, without respect to what entries might be
> imported from LDAP (because they are supposed to override the data
> returned by LDAP).  Puppet invokes pw(8) to actually perform the
> modifications, but I suspect it also uses native code from the Ruby
> standard library to actually do pre-modification lookups.
> Looking at the code in both nss-pam-ldapd and libc, it seems like the
> only plausible way to fix this is to add functionality to nsswitch
> which would allow it to use different configurations depending on the
> identity of the process invoking getpwnam(3) or getgrnam(3).  Does
> anyone have opinions on how this ought to be implemented, or indeed
> how it could be implemented securely?

It's a bit late here, but it sounds kind of like you want to be able to
set NSS_NONLOCAL_IGNORE [and have it do something useful]?

Unfortunately, I never got far enough in trying to port Athena to FreeBSD
to have looked at how portable nss_nonlocal is.  But it is probably worth
looking at, for your case.


More information about the freebsd-security mailing list