Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

To: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>, 365048@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
From: Gabor Gombas <gombasg@sztaki.hu>
Date: Fri, 28 Apr 2006 15:26:47 +0200
Message-id: <[🔎] 20060428132647.GA10629@boogie.lpds.sztaki.hu>
Reply-to: Gabor Gombas <gombasg@sztaki.hu>, 365048@bugs.debian.org
In-reply-to: <[🔎] 20060428120338.GA7651@mbuki-mvuki.org>
References: <[🔎] 20060427144032.GB25140@mbuki-mvuki.org> <[🔎] 20060428102401.GB7612@boogie.lpds.sztaki.hu> <[🔎] 20060428120338.GA7651@mbuki-mvuki.org>

On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote:

> Why it it defined that getgrouplist() and initgroups() _always_
> enumerate all NSS goups?

Just think about the simple case when an user defined in /etc/passwd is
also a member of a group that is only defined in LDAP. getgrouplist()
and initgroups() MUST support this.

Or an other viewpoint: when enumerating entries neither the "SUCCESS"
nor the "NOTFOUND" conditions occur until all backends are exhausted, so
[SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration.

Btw. both the nsswitch.conf man page and the glibc documentation say:

	The second item in the specification gives the user much finer
	control on  the  lookup  process.

So they only mention the _lookup_ process (i.e. getXXbyYY()), they do
not say that action statements would have any effect on enumeration.

> This can cause problems for system daemons. For
> instance apache2 does an initgroups every time it spawns a thread, which
> results in my ldap servers being pounded when I have high load on my
> webservers. Nscd is a possible solution to the problem, but the version
> in stable does not cache initgroup requests, and the version in unstable
> invalidates them prematurely. Having the ability to not search other
> databases for local name service lookups seems like a valuable function.

That is a well-known scenario and the usual advice is "do not use LDAP
as the group NSS backend".

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------

Reply to:

Follow-Ups:
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>

References:
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>

Prev by Date: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Next by Date: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Previous by thread: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Next by thread: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Index(es):
- Date
- Thread