search

xenago / libnss_shim

Perform Name Service Switch (NSS) lookups with custom commands
GNU General Public License v3.0
6 stars 0 forks source link

When implementing `get_entry_by_gid` do we need to return a value for preexisting gid in `/etc/group` file? #5

Closed nguyen102 closed 5 months ago

nguyen102 commented 5 months ago

When implementing get_entry_by_gid do we need to return a value for preexisting gid in /etc/group file? Also, same question regarding get_entry_by_name for group and passwd.

Does libnss_shim know to only call those methods if it can't find those ids and gids in the /etc/group and /etc/passwd files?

xenago commented 5 months ago

When implementing get_entry_by_gid do we need to return a value for preexisting gid in /etc/group file? Also, same question regarding get_entry_by_name for group and passwd.

No need to return entries if that same content is already present on disk in e.g. /etc/group/etc/passwd. That is taken care of by the existing mappings as set up by the default installation process.

From README.md:

libnss_shim is mapped as shim in /etc/nsswitch.conf as the last source for all supported databases

What this looks like in /etc/nsswitch.conf by default after installing libnss_shim on a clean AlmaLinux system:

(...)
passwd:     sss files systemd shim
shadow:     files shim
group:      sss files systemd shim
(...)

This means that by default the shim will be called only after lookups to the other databases listed before it, and only if the others failed. So if there is already an entry on disk (or in any preceding database) for that particular query then libnss_shim will never be called.

You can demonstrate this effect by configuring libnss_shim to respond with different information than is on disk, and running these queries:

getent group root
getent -s files group root
getent -s shim group root

image

The first one makes a normal request which follows the priority order forgroup set in /etc/nsswitch.conf: sss, files, systemd, shim. Because sss responds with nothing, NSS moves on and requests it from files, which succeeds so systemd/shim are never queried.

The second command specifically requests it from files (i.e. /etc/group/), so the same information as the first command is returned.

The third command requests it from shim, so libnss_shim is used and the custom entry value is returned.

If the order of group in /etc/nsswitch.conf is changed so that libnss_shim is first, then getent group root will return the custom value right away and never check the other databases:

image

nguyen102 commented 5 months ago

Thank you so much for the clear and detailed explanation

xenago commented 5 months ago

No problem Tim - I added this information to the docs as it seems like it could be useful to surface there

https://github.com/xenago/libnss_shim/blob/main/docs/README.md#interaction-with-etcnsswitchconf