Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Package: libc6
Version: 2.3.6-7
with nsswitch.conf set to
passwd: files ldap
group: files ldap
shadow: files ldap
When looking up groups for which a user is a member, libc searches
both files and ldap, even if the user is present in files. This is
contrary to what is stated in the manpage.
success
No error occurred and the wanted entry is returned.
The default action for this is ‘return’.
In addition even if the return is added explicitly:
passwd: files [SUCCESS=return] ldap
group: files [SUCCESS=return] ldap
shadow: files [SUCCESS=return] ldap
both files and ldap are still searched:
test program:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <grp.h>
#include <pwd.h>
int main(int argc, char *argv[]) {
int i, ng = 0;
int length;
char *user;
gid_t *groups = NULL;
if(argc != 2) {
printf("Usage: grouptest username\n");
exit(1);
}
length = strlen(argv[1]) + 1;
user = (char *) malloc(length);
if (user == NULL) {
printf("Error on malloc");
exit(1);
}
strcpy(user,argv[1]);
printf("%s groups:\n",user);
struct passwd *pw = getpwnam(user);
if (pw == NULL)
return 0;
if (getgrouplist(user, pw->pw_gid, NULL, &ng) < 0) {
groups = (gid_t *) malloc(ng * sizeof (gid_t));
getgrouplist(user, pw->pw_gid, groups, &ng);
}
for(i = 0; i < ng; i++)
printf("%d\n", groups[i]);
return 0;
}
doing an strace on the above program when searching for a user in
/etc/passwd shows ldap being searched, with or without [SUCCESS=return]
in nsswitch.conf. Changing nsswitch to [UNAVAIL=return] disables ldap
lookups for all requests even if the user is not in /etc/passwd.
-Jesse
Reply to: