Ticket #1143 (closed defect: invalid)
nss_nonlocal allegedly breaks with recent glibc
Reported by: | geofft | Owned by: | |
---|---|---|---|
Priority: | high | Milestone: | Quantal Quetzal |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
In the discussion on sssd-devel about security equivalent to nss-nonlocal, they pointed out that there are some changes to the initgroups interface that affect our abuse of internal glibc APIs.
This message has some more details about a new option, which sounds like a relevant part of the change:
However, recently glibc added an option so that you can segregate
initgroups too. In general we try not to use it becaus ein many cases
people do want to have the memberships calculated through all group
backends.
However if you enable "initgroupos: files sss", the getgrouplist call do
not continue past files into sss if entries are found in files.
I am not sure I like this option, as it is rather new, undocumented, and
the semantics may not be really useful, but you may want to experiment
with it if you have a new enough glibc. (Was committed to glibc upstream
repo on may 10 2011)
The alleged bug here is that nss_nonlocal wouldn’t add the nss-local-users group to local users if you were to write initgroups: files nonlocal in nsswitch.conf (that’s a new glibc feature; see also #1202). So don’t write that, and nothing breaks.