Ticket #1143 (closed defect: invalid)

Opened 12 years ago

Last modified 12 years ago

nss_nonlocal allegedly breaks with recent glibc

Reported by: geofft Owned by:
Priority: high Milestone: Quantal Quetzal
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

In the discussion on sssd-devel about security equivalent to nss-nonlocal, they  pointed out that there are some changes to the initgroups interface that affect our abuse of internal glibc APIs.

 This message has some more details about a new option, which sounds like a relevant part of the change:

However, recently glibc added an option so that you can segregate
initgroups too. In general we try not to use it becaus ein many cases
people do want to have the memberships calculated through all group
backends.
However if you enable "initgroupos: files sss", the getgrouplist call do
not continue past files into sss if entries are found in files.
I am not sure I like this option, as it is rather new, undocumented, and
the semantics may not be really useful, but you may want to experiment
with it if you have a new enough glibc. (Was committed to glibc upstream
repo on may 10 2011)

Change History

comment:1 Changed 12 years ago by andersk

  • Status changed from new to closed
  • Resolution set to invalid

The alleged bug here is that nss_nonlocal wouldn’t add the nss-local-users group to local users if you were to write initgroups: files nonlocal in nsswitch.conf (that’s a new glibc feature; see also #1202). So don’t write that, and nothing breaks.

comment:2 Changed 12 years ago by jdreed

Is it worth documenting this somewhere other than a Trac comment?

Note: See TracTickets for help on using tickets.