Commit Graph

5 Commits

Author SHA1 Message Date
Stephen Gallagher
ced8f89336 NSS: Implement group merging support.
https://sourceware.org/glibc/wiki/Proposals/GroupMerging

== Justification ==
It is common today for users to rely on centrally-managed user stores for
handling their user accounts. However, much software existing today does
not have an innate understanding of such accounts. Instead, they commonly
rely on membership in known groups for managing access-control (for
example the "wheel" group on Fedora and RHEL systems or the "adm" group
on Debian-derived systems). In the present incarnation of nsswitch, the
only way to have such groups managed by a remote user store such as
FreeIPA or Active Directory would be to manually remove the groups from
/etc/group on the clients so that nsswitch would then move past nss_files
and into the SSSD, nss-ldap or other remote user database.

== Solution ==
With this patch, a new action is introduced for nsswitch:
NSS_ACTION_MERGE. To take advantage of it, one will add [SUCCESS=merge]
between two database entries in the nsswitch.conf file. When a group is
located in the first of the two group entries, processing will continue
on to the next one. If the group is also found in the next entry (and the
group name and GID are an exact match), the member list of the second
entry will be added to the group object to be returned.

== Implementation ==
After each DL_LOOKUP_FN() returns, the next action is checked. If the
function returned NSS_STATUS_SUCCESS and the next action is
NSS_ACTION_MERGE, a copy of the result buffer is saved for the next pass
through the loop. If on this next pass through the loop the database
returns another instance of a group matching both the group name and GID,
the member list is added to the previous list and it is returned as a
single object. If the following database does not contain the same group,
then the original is copied back into the destination buffer.

This patch implements merge functionality only for the group database.
For other databases, there is a default implementation that will return
the EINVAL errno if a merge is requested. The merge functionality can be
implemented for other databases at a later time if such is needed. Each
database must provide a unique implementation of the deep-copy and merge
functions.

If [SUCCESS=merge] is present in nsswitch.conf for a glibc version that
does not support it, glibc will process results up until that operation,
at which time it will return results if it has found them or else will
simply return an error. In practical terms, this ends up behaving like
the remainder of the nsswitch.conf line does not exist.

== Iterators ==
This feature does not modify the iterator functionality from its current
behavior. If getgrnam() or getgrgid() is called, glibc will iterate
through all entries in the `group` line in nsswitch.conf and display the
list of members without attempting to merge them. This is consistent with
the behavior of nss_files where if two separate lines are specified for
the same group in /etc/groups, getgrnam()/getgrgid() will display both.
Clients are already expected to handle this gracefully.

== No Premature Optimizations ==
The following is a list of places that might be eligible for
optimization, but were not overengineered for this initial contribution:
 * Any situation where a merge may occur will result in one malloc() of
   the same size as the input buffer.
 * Any situation where a merge does occur will result in a second
   malloc() to hold the list of pointers to member name strings.
 * The list of members is simply concatenated together and is not tested
   for uniqueness (which is identical to the behavior for nss_files,
   which will simply return identical values if they both exist on the
   line in the file. This could potentially be optimized to reduce space
   usage in the buffer, but it is both complex and computationally
   expensive to do so.

== Testing ==
I performed testing by running the getent utility against my newly-built
glibc and configuring /etc/nsswitch.conf with the following entry:
group: group:      files [SUCCESS=merge] sss

In /etc/group I included the line:
wheel10:sgallagh

I then configured my local SSSD using the id_provider=local to respond
with:
wheel:*:10:localuser,localuser2

I then ran `getent group wheel` against the newly-built glibc in
multiple situations and received the expected output as described
above:
 * When SSSD was running.
 * When SSSD was configured in nsswitch.conf but the daemon was not
   running.
 * When SSSD was configured in nsswitch.conf but nss_sss.so.2 was not
   installed on the system.
 * When the order of 'sss' and 'files' was reversed.
 * All of the above with the [SUCCESS=merge] removed (to ensure no
   regressions).
 * All of the above with `getent group 10`.
 * All of the above with `getent group` with and without
   `enumerate=true` set in SSSD.
 * All of the above with and without nscd enabled on the system.
2016-04-29 22:18:21 -04:00
Ulrich Drepper
8fee1bb0b2 Update.
2001-06-07  Mark Kettenis  <kettenis@gnu.org>

	* grp/initgroups.c (initgroups): Factor out re-usable code into...
	(internal_getgrouplist): ... new function.
	(getgrouplist): New function.
	* grp/grp.h (getgrouplist): New prototype.
	* grp/Versions [2.2.4]: Add getgrouplist.

2001-06-16  Ulrich Drepper  <drepper@redhat.com>

	* inet/netinet/ip6.h: Fix comments in ip6_hdr.
	Patch by Pekka Savola <pekkas@netcore.fi>.
2001-06-16 19:50:36 +00:00
Ulrich Drepper
c2fa5b5a4f Update.
1999-07-09  Cristian Gafton  <gafton@redhat.com>

	* nscd/nscd_gethst_r.c (nscd_gethst_r): Make sure
	resultbuf->h_addr_list addresses are correctly aligned.

	* sysdeps/i386/bits/string.h (__memcpy_c): Help some stupid old
	compilers.
	(__memset_cc): Likewise.
1999-07-09 20:58:54 +00:00
Ulrich Drepper
7ce241a03e Update.
1998-07-31 17:59  Ulrich Drepper  <drepper@cygnus.com>

	* sysdeps/generic/bits/byteswap.h: Fix problems with side effects.

	* manual/filesys.texi: Document truncate and ftruncate.
	Patch by Michael Deutschmann <michael@talamasca.wkpowerlink.com>.

	* shadow/putspent.c: Lock stream while generating the output.

	* sunrpc/clnt_unix.c: Use ucred instead of cmsgcred again.
	(__msgwrite): Rewrite accordingly.
	* sunrpc/svc_unix.c: Likewise.
	* sysdeps/unix/sysv/linux/Dist: Remove __recvmsg.S and __sendmsg.S.
	* sysdeps/unix/sysv/linux/Makefile [$(subdir)==socket]
	(sysdep_routines): Remove __sendmsg and __recvmsg.
	* sysdeps/unix/sysv/linux/__recvmsg.S: Removed.
	* sysdeps/unix/sysv/linux/__sendmsg.S: Removed.
	* sysdeps/unix/sysv/linux/recvmsg.c: Removed.
	* sysdeps/unix/sysv/linux/sendmsg.c: Removed.
	* sysdeps/unix/sysv/linux/recvmsg.S: New file.
	* sysdeps/unix/sysv/linux/sendmsg.S: New file.
	* sysdeps/unix/sysv/linux/bits/socket.h: Define SCM_CREDENTIALS and
	struct ucred.  Remove struct cmsgcred.
	Patches by Thorsten Kukuk.

1998-08-03  Andreas Jaeger  <aj@arthur.rhein-neckar.de>

	* inet/rcmd.c (__ivaliduser): Allow '#' as comment character.

1998-08-08 14:42  Ulrich Drepper  <drepper@cygnus.com>

	* argp/argp-help.c: Prepare to be used outside glibc without gcc by
	adding usual alloca cruft.
	Reported by Eleftherios Gkioulekas <lf@amath.washington.edu>.

1998-04-05  Jim Meyering  <meyering@ascend.com>

	* lib/regex.c (WIDE_CHAR_SUPPORT): Define.
	This now depends on HAVE_BTOWC so systems that lack btowc (like
	solaris-2.5.1) don't lose.

1998-08-07  Mark Kettenis  <kettenis@phys.uva.nl>

	* sysdeps/generic/bits/sigaction.h: Remove definition of SA_DISABLE.
	* sysdeps/generic/bits/sigstack.h: Define SS_DISABLE, SS_ONSTACK,
	MINSIGSTKZ and SIGSTKSZ.  Definitions match BSD.
	* hurd/sigunwind.c (_hurdsig_longjmp_from_handler): Use SS_ONSTACK
	instead of SA_ONSTACK.
	* sysdeps/mach/hurd/sigaltstack.c (__sigaltstack): Renamed from
	sigaltstack, and created a weak alias.  Use SS_DISABLE and
	SS_ONSTACK instead of SA_DISABLE and SA_ONSTACK.
	* sysdeps/mach/hurd/sigstack.c (sigstack): Use SS_ONSTACK instead
	of SA_ONSTACK.  Call __sigaltstack instead of sigaltstack.
	* sysdeps/mach/hurd/i386/sigreturn.c (__sigreturn): Use SS_ONSTACK
	instead of SA_ONSTACK.
	* sysdeps/mach/hurd/alpha/sigreturn.c (__sigreturn): Likewise.
	* sysdeps/mach/hurd/mips/sigreturn.c (__sigreturn): Likewise.
	* sysdeps/mach/hurd/i386/trampoline.c (_hurd_setup_sighandler):
	Use SS_DISABLE instead of SA_DISABLE.  Use SS_ONSTACK instead of
	SA_ONSTACK where appropriate.
	* sysdeps/mach/hurd/alpha/trampoline.c (_hurd_setup_sighandler):
	Likewise.
	* sysdeps/mach/hurd/hppa/trampoline.c (_hurd_setup_sighandler):
	Likewise.
	* sysdeps/mach/hurd/mips/trampoline.c (_hurd_setup_sighandler):
	Likewise.
	* manual/signal.texi (Signal Stack): Talk about SS_DISABLE and
	SS_ONSTACK instead of SA_DISABLE and SA_ONSTACK in discussion of
	the `ss_flags' member of `struct sigaltstack'.

1998-08-05  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* libio/Makefile (routines) [$(versioning)=yes]: Add oldtmpfile.
	(shared-only-routines): Likewise.
	* libio/oldtmpfile.c: New file
	* stdio-common/tmpfile.c: Use __fdopen and __close.
	[USE_IN_LIBIO]: Use _IO_fdopen instead of _IO_new_fdopen.  Put
	tmpfile on symbol version GLIBC_2.1.
	* stdio-common/tmpfile64.c: Use __fdopen and __close.
	[USE_IN_LIBIO]: Use _IO_fdopen instead of _IO_new_fdopen.
	* stdio-common/Version [GLIBC_2.1]: Add tmpfile.
	* stdio-common/tempnam.c: Use __strdup instead of strdup.
	* sysdeps/posix/fdopen.c: Define __fdopen and make fdopen weak
	alias.
	* sysdeps/generic/fdopen.c: Likewise.
	* sysdeps/mach/hurd/fdopen.c: Likewise.
	* stdio/stdio.h: Declare __fdopen.
	* sunrpc/openchild.c: Use __fdopen instead of fdopen.
	[USE_IN_LIBIO]: Map __fdopen to _IO_fdopen.
	* sysdeps/posix/tempname.c (__gen_tempname): Don't bother checking
	__stub_open64, it is never defined.

1998-08-05  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* libio/iofopen64.c: Fix typo.  Avoid unnessary casts.
	* libio/iopopen.c: Unlink file before freeing it if command
	creation failed.  Avoid unnessary casts.
	* libio/iofdopen.c:  Avoid unnecessary cast.
	* pwd/fgetpwent_r.c [USE_IN_LIBIO]: Map funlockfile to
	_IO_funlockfile.
	* pwd/fgetspent_r.c [USE_IN_LIBIO]: Likewise.

1998-08-06  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* grp/grp.h, pwd/pwd.h: Don't declare __grpopen, __grpread,
	__grpalloc, __grpscan and the corresponding pwd functions, they
	were removed long ago.

1998-08-06  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* math/libm-test.c (csqrt_test): Adjust epsilons.
	(casinh_test): Likewise.

1998-08-06  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* posix/globtest.sh: Fix typo.  Remove second test output file.

1998-08-07  Cristian Gafton  <gafton@redhat.com>

	* pwd/putpwent.c (putpwent): Avoid writting (none) in the passwd file.
	* shadow/putspent.c (putspent): Likewise.
	* grp/putgrent.c: New file.
	* grp/Makefile (routines): Add putgrent.
	* grp/Versions [GLIBC_2.1]: Add putgrent.
	* grp/grp.h: Add putgrent prototype.

1998-08-04 19:33  Ulrich Drepper  <drepper@cygnus.com>

	* elf/elf.h: More ELF definitions.
1998-08-08 20:02:34 +00:00
Ulrich Drepper
b0b67c47a5 Update.
1998-07-02 21:51  Ulrich Drepper  <drepper@cygnus.com>

	* Makeconfig: Define list of subdirs as all-subdirs and make subdirs
	a copy.
	* Makefile: Add rules to generate map files.
	(distribute): Remove libc.map, add Versions.def and versions.awk.
	* Makerules: Change rules to find map files on common-objpfx.
	* elf/Makefile: Likewise.
	* md5-crypt/Makefile: Likewise.
	* nis/Makefile (libnsl-map): Remove.
	* Versions.def: New file.
	* versions.awk: New file.
	* argp/Versions: New file.
	* assert/Versions: New file.
	* catgets/Versions: New file.
	* csu/Versions: New file.
	* ctype/Versions: New file.
	* db/Versions: New file.
	* debug/Versions: New file.
	* dirent/Versions: New file.
	* elf/Versions: New file.
	* gmon/Versions: New file.
	* grp/Versions: New file.
	* hesiod/Versions: New file.
	* hurd/Versions: New file.
	* iconv/Versions: New file.
	* inet/Versions: New file.
	* intl/Versions: New file.
	* io/Versions: New file.
	* libio/Versions: New file.
	* linuxthreads/Versions: New file.
	* locale/Versions: New file.
	* login/Versions: New file.
	* malloc/Versions: New file.
	* math/Versions: New file.
	* md5-crypt/Versions: New file.
	* misc/Versions: New file.
	* nis/Versions: New file.
	* nss/Versions: New file.
	* posix/Versions: New file.
	* pwd/Versions: New file.
	* resolv/Versions: New file.
	* resource/Versions: New file.
	* rt/Versions: New file.
	* setjmp/Versions: New file.
	* shadow/Versions: New file.
	* signal/Versions: New file.
	* socket/Versions: New file.
	* stdio/Versions: New file.
	* stdio-common/Versions: New file.
	* stdlib/Versions: New file.
	* streams/Versions: New file.
	* string/Versions: New file.
	* sunrpc/Versions: New file.
	* sysdeps/alpha/Versions: New file.
	* sysdeps/alpha/fpu/Versions: New file.
	* sysdeps/i386/Versions: New file.
	* sysdeps/sparc/Versions: New file.
	* sysdeps/unix/sysv/Versions: New file.
	* sysdeps/unix/sysv/linux/Versions: New file.
	* sysdeps/unix/sysv/linux/alpha/Versions: New file.
	* sysdeps/unix/sysv/linux/i386/Versions: New file.
	* sysdeps/unix/sysv/linux/mips/Versions: New file.
	* sysvipc/Versions: New file.
	* termios/Versions: New file.
	* time/Versions: New file.
	* wcsmbs/Versions: New file.
	* wctype/Versions: New file.
	* libc.map: Removed.
	* db/libdb.map: Removed.
	* elf/libdl.map: Removed.
	* hesiod/libnss_hesiod.map: Removed.
	* hurd/libhurduser.map: Removed.
	* hurd/libmachuser.map: Removed.
	* linuxthreads/libpthread.map: Removed.
	* locale/libBrokenLocale.map: Removed.
	* login/libutil.map: Removed.
	* math/libm.map: Removed.
	* md5-crypt/libcrypt.map: Removed.
	* nis/libnsl.map: Removed.
	* nis/libnsl_compat.map: Removed.
	* nis/libnss_nis.map: Removed.
	* nis/libnss_nisplus.map: Removed.
	* nss/libnss_db.map: Removed.
	* nss/libnss_files.map: Removed.
	* resolv/libnss_dns.map: Removed.
	* resolv/libresolv.map: Removed.
	* rt/librt.map: Removed.

	* elf/dl-load.c (fillin_rpath): Fix test for trusted directory.
	Fix typos.

	* elf/rtld.c (process_dl_debug): Recognize 'all'.
	(process_envvars): LD_BIND_NOW must be followed by y, Y, or 1.

	* sysdeps/generic/elf/backtracesyms.c: Allocate string memory of
	correct size.

	* sysdeps/unix/sysv/linux/getsysstats.c (get_proc_path): Fix typo
	in comment.
1998-07-02 22:51:40 +00:00