nss_nonlocal

The nss_nonlocal module alows one to configure nonlocal sources of name service information (like nss_hesiod, nss_ldap, or any of the others) such that nonlocal accounts cannot get access to local credentials. It does this by acting as a filter sitting in front of the nonlocal sources, only returning information provided by them if the information passes certain security checks.

Features

nss_nonlocal provides the following protections:

nss_nonlocal automatically populates the local groups with names nss-local-users and nss-nonlocal-users with those users that appear in the local and nonlocal sources, respsectively.

nss_nonlocal can be controlled by the environment variable NSS_NONLOCAL_IGNORE. If it is set, nss_nonlocal will mask all information from nonlocal sources. This is useful for doing things like adding a local user with the same username as an existing nonlocal user. On Debian machines at MIT, we wrap dpkg, adduser, useradd, addgroup, and groupadd with a script that sets NSS_NONLOCAL_IGNORE=ignore before executing the original program.

Configuration

Below is an example block of lines from /etc/nsswitch.conf using nss_nonlocal to protect against the security deficiencies of nss_hesiod.

passwd:         compat nonlocal
passwd_nonlocal: hesiod
group:          compat afspag nonlocal
group_nonlocal: hesiod

This configuration will cause nss_nonlocal to treat nss_hesiod as a nonlocal source, so that users and groups managed by Hesiod will be correctly interpreted by the system, without granting nonlocal users to be able to gain root access to the machine using DNS spoofing.

Even if one were using a nonlocal NSS information source that were not vulnerable to spoofing attacks, nss_nonlocal would still provide a useful protection in case the local administrator does not trust the NSS information source with root (or other) access on the machine, or in case there are mistakes in the configuration of the relevant NSS information source.

Current release

nss_nonlocal 2.2 was released on 2018-05-05, and is included with Debathena. It is maintained in a Git repository:

git clone git://andersk.mit.edu/nss_nonlocal
You can also browse and download the source.

If you have questions about nss_nonlocal, you can email the developers at debathena@mit.edu.