mirror of
git://sourceware.org/git/glibc.git
synced 2025-01-24 12:25:35 +08:00
ced8f89336
https://sourceware.org/glibc/wiki/Proposals/GroupMerging == Justification == It is common today for users to rely on centrally-managed user stores for handling their user accounts. However, much software existing today does not have an innate understanding of such accounts. Instead, they commonly rely on membership in known groups for managing access-control (for example the "wheel" group on Fedora and RHEL systems or the "adm" group on Debian-derived systems). In the present incarnation of nsswitch, the only way to have such groups managed by a remote user store such as FreeIPA or Active Directory would be to manually remove the groups from /etc/group on the clients so that nsswitch would then move past nss_files and into the SSSD, nss-ldap or other remote user database. == Solution == With this patch, a new action is introduced for nsswitch: NSS_ACTION_MERGE. To take advantage of it, one will add [SUCCESS=merge] between two database entries in the nsswitch.conf file. When a group is located in the first of the two group entries, processing will continue on to the next one. If the group is also found in the next entry (and the group name and GID are an exact match), the member list of the second entry will be added to the group object to be returned. == Implementation == After each DL_LOOKUP_FN() returns, the next action is checked. If the function returned NSS_STATUS_SUCCESS and the next action is NSS_ACTION_MERGE, a copy of the result buffer is saved for the next pass through the loop. If on this next pass through the loop the database returns another instance of a group matching both the group name and GID, the member list is added to the previous list and it is returned as a single object. If the following database does not contain the same group, then the original is copied back into the destination buffer. This patch implements merge functionality only for the group database. For other databases, there is a default implementation that will return the EINVAL errno if a merge is requested. The merge functionality can be implemented for other databases at a later time if such is needed. Each database must provide a unique implementation of the deep-copy and merge functions. If [SUCCESS=merge] is present in nsswitch.conf for a glibc version that does not support it, glibc will process results up until that operation, at which time it will return results if it has found them or else will simply return an error. In practical terms, this ends up behaving like the remainder of the nsswitch.conf line does not exist. == Iterators == This feature does not modify the iterator functionality from its current behavior. If getgrnam() or getgrgid() is called, glibc will iterate through all entries in the `group` line in nsswitch.conf and display the list of members without attempting to merge them. This is consistent with the behavior of nss_files where if two separate lines are specified for the same group in /etc/groups, getgrnam()/getgrgid() will display both. Clients are already expected to handle this gracefully. == No Premature Optimizations == The following is a list of places that might be eligible for optimization, but were not overengineered for this initial contribution: * Any situation where a merge may occur will result in one malloc() of the same size as the input buffer. * Any situation where a merge does occur will result in a second malloc() to hold the list of pointers to member name strings. * The list of members is simply concatenated together and is not tested for uniqueness (which is identical to the behavior for nss_files, which will simply return identical values if they both exist on the line in the file. This could potentially be optimized to reduce space usage in the buffer, but it is both complex and computationally expensive to do so. == Testing == I performed testing by running the getent utility against my newly-built glibc and configuring /etc/nsswitch.conf with the following entry: group: group: files [SUCCESS=merge] sss In /etc/group I included the line: wheel❌10:sgallagh I then configured my local SSSD using the id_provider=local to respond with: wheel:*:10:localuser,localuser2 I then ran `getent group wheel` against the newly-built glibc in multiple situations and received the expected output as described above: * When SSSD was running. * When SSSD was configured in nsswitch.conf but the daemon was not running. * When SSSD was configured in nsswitch.conf but nss_sss.so.2 was not installed on the system. * When the order of 'sss' and 'files' was reversed. * All of the above with the [SUCCESS=merge] removed (to ensure no regressions). * All of the above with `getent group 10`. * All of the above with `getent group` with and without `enumerate=true` set in SSSD. * All of the above with and without nscd enabled on the system. |
||
|---|---|---|
| argp | ||
| assert | ||
| benchtests | ||
| bits | ||
| catgets | ||
| conform | ||
| crypt | ||
| csu | ||
| ctype | ||
| debug | ||
| dirent | ||
| dlfcn | ||
| elf | ||
| gmon | ||
| gnulib | ||
| grp | ||
| gshadow | ||
| hesiod | ||
| hurd | ||
| iconv | ||
| iconvdata | ||
| include | ||
| inet | ||
| intl | ||
| io | ||
| libidn | ||
| libio | ||
| locale | ||
| localedata | ||
| login | ||
| mach | ||
| malloc | ||
| manual | ||
| math | ||
| mathvec | ||
| misc | ||
| nis | ||
| nptl | ||
| nptl_db | ||
| nscd | ||
| nss | ||
| po | ||
| posix | ||
| pwd | ||
| resolv | ||
| resource | ||
| rt | ||
| scripts | ||
| setjmp | ||
| shadow | ||
| signal | ||
| socket | ||
| soft-fp | ||
| stdio-common | ||
| stdlib | ||
| streams | ||
| string | ||
| sunrpc | ||
| sysdeps | ||
| sysvipc | ||
| termios | ||
| time | ||
| timezone | ||
| wcsmbs | ||
| wctype | ||
| .gitattributes | ||
| .gitignore | ||
| abi-tags | ||
| aclocal.m4 | ||
| BUGS | ||
| ChangeLog | ||
| ChangeLog.1 | ||
| ChangeLog.2 | ||
| ChangeLog.3 | ||
| ChangeLog.4 | ||
| ChangeLog.5 | ||
| ChangeLog.6 | ||
| ChangeLog.7 | ||
| ChangeLog.8 | ||
| ChangeLog.9 | ||
| ChangeLog.10 | ||
| ChangeLog.11 | ||
| ChangeLog.12 | ||
| ChangeLog.13 | ||
| ChangeLog.14 | ||
| ChangeLog.15 | ||
| ChangeLog.16 | ||
| ChangeLog.17 | ||
| ChangeLog.old-ports | ||
| ChangeLog.old-ports-aarch64 | ||
| ChangeLog.old-ports-aix | ||
| ChangeLog.old-ports-alpha | ||
| ChangeLog.old-ports-am33 | ||
| ChangeLog.old-ports-arm | ||
| ChangeLog.old-ports-cris | ||
| ChangeLog.old-ports-hppa | ||
| ChangeLog.old-ports-ia64 | ||
| ChangeLog.old-ports-linux-generic | ||
| ChangeLog.old-ports-m68k | ||
| ChangeLog.old-ports-microblaze | ||
| ChangeLog.old-ports-mips | ||
| ChangeLog.old-ports-powerpc | ||
| ChangeLog.old-ports-tile | ||
| config.h.in | ||
| config.make.in | ||
| configure | ||
| configure.ac | ||
| CONFORMANCE | ||
| COPYING | ||
| COPYING.LIB | ||
| cppflags-iterator.mk | ||
| extra-lib.mk | ||
| extra-modules.mk | ||
| gen-locales.mk | ||
| INSTALL | ||
| libc-abis | ||
| LICENSES | ||
| Makeconfig | ||
| Makefile | ||
| Makefile.in | ||
| Makerules | ||
| NAMESPACE | ||
| NEWS | ||
| o-iterator.mk | ||
| PROJECTS | ||
| README | ||
| Rules | ||
| shlib-versions | ||
| test-skeleton.c | ||
| version.h | ||
| WUR-REPORT | ||
This directory contains the sources of the GNU C Library. See the file "version.h" for what release version you have. The GNU C Library is the standard system C library for all GNU systems, and is an important part of what makes up a GNU system. It provides the system API for all programs written in C and C-compatible languages such as C++ and Objective C; the runtime facilities of other programming languages use the C library to access the underlying operating system. In GNU/Linux systems, the C library works with the Linux kernel to implement the operating system behavior seen by user applications. In GNU/Hurd systems, it works with a microkernel and Hurd servers. The GNU C Library implements much of the POSIX.1 functionality in the GNU/Hurd system, using configurations i[4567]86-*-gnu. The current GNU/Hurd support requires out-of-tree patches that will eventually be incorporated into an official GNU C Library release. When working with Linux kernels, this version of the GNU C Library requires Linux kernel version 3.2 or later on all architectures except i[4567]86 and x86_64, where Linux kernel version 2.6.32 or later suffices. Also note that the shared version of the libgcc_s library must be installed for the pthread library to work correctly. The GNU C Library supports these configurations for using Linux kernels: aarch64*-*-linux-gnu alpha*-*-linux-gnu arm-*-linux-gnueabi hppa-*-linux-gnu Not currently functional without patches. i[4567]86-*-linux-gnu x86_64-*-linux-gnu Can build either x86_64 or x32 ia64-*-linux-gnu m68k-*-linux-gnu microblaze*-*-linux-gnu mips-*-linux-gnu mips64-*-linux-gnu powerpc-*-linux-gnu Hardware or software floating point, BE only. powerpc64*-*-linux-gnu Big-endian and little-endian. s390-*-linux-gnu s390x-*-linux-gnu sh[34]-*-linux-gnu sparc*-*-linux-gnu sparc64*-*-linux-gnu tilegx-*-linux-gnu tilepro-*-linux-gnu If you are interested in doing a port, please contact the glibc maintainers; see http://www.gnu.org/software/libc/ for more information. See the file INSTALL to find out how to configure, build, and install the GNU C Library. You might also consider reading the WWW pages for the C library at http://www.gnu.org/software/libc/. The GNU C Library is (almost) completely documented by the Texinfo manual found in the `manual/' subdirectory. The manual is still being updated and contains some known errors and omissions; we regret that we do not have the resources to work on the manual as much as we would like. For corrections to the manual, please file a bug in the `manual' component, following the bug-reporting instructions below. Please be sure to check the manual in the current development sources to see if your problem has already been corrected. Please see http://www.gnu.org/software/libc/bugs.html for bug reporting information. We are now using the Bugzilla system to track all bug reports. This web page gives detailed information on how to report bugs properly. The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.