Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nss-systemd: also expose shadow/gshadow entries from userdb records #19545

Merged
merged 2 commits into from
May 10, 2021
Merged

nss-systemd: also expose shadow/gshadow entries from userdb records #19545

merged 2 commits into from
May 10, 2021

Conversation

poettering
Copy link
Member

Split out of #19528

yuwata
yuwata approved these changes May 7, 2021
View reviewed changes
Copy link
Member

@yuwata yuwata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but CIs are unhappy.

src/nss-systemd/nss-systemd.c Outdated Show resolved Hide resolved
@poettering
nss-systemd: set USERDB_SUPPRESS_SHADOW flag when looking up user rec…
09001db 
…ords

Setting the flags means we won#t try to read the data from /etc/shadow
when reading a user record, thus slightly making conversion quicker and
reducing the chance of generating MAC faults, because we needlessly
access a privileged resource. Previously, passing the flag didn't
matter, when converting our JSON records to NSS since the flag only had
an effect on whether to use NSS getspnam() and related calls or not. But
given that we turn off NSS anyway as backend for this conversion (since
we want to avoid NSS loops, where we turn NSS data to our JSON user
records, and then to NSS forever and ever) it was unnecessary to pass
it.

This changed in one of the previous commits however, where we added
support for reading user definitions from drop-in files, with separate
drop-in files for the shadow data.
@poettering
nss-systemd: synthesize NSS shadow/gshadow records from userdb, as well
f43a19e 
This ensures we not only synthesize regular paswd/group records of
userdb records, but shadow records as well. This should make sure that
userdb can be used as comprehensive superset of the classic
passwd/group/shadow/gshadow functionality.
@poettering
Copy link
Member Author

Force pushed a new version. Only changes are the suggested one. Upgrading label

@poettering poettering added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed good-to-merge/with-minor-suggestions labels May 8, 2021
@poettering poettering merged commit 2baec39 into systemd:main May 10, 2021
gentoo-bot pushed a commit to gentoo/glibc that referenced this pull request May 25, 2021
@akhuettel
Gentoo: nsswitch.conf: Add nss-systemd hook also to shadow and gshadow
c834ea3 
See-also: systemd/systemd#19545
See-also: systemd/systemd@f43a19e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuwata yuwata yuwata approved these changes

Assignees
No one assigned
Labels
good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed nss userdb
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@poettering @yuwata