Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

To: Gabor Gombas <gombasg@sztaki.hu>
Cc: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>, 365048@bugs.debian.org
Subject: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
Date: Fri, 28 Apr 2006 10:51:38 -0400
Message-id: <[🔎] 20060428145138.GB7651@mbuki-mvuki.org>
Reply-to: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>, 365048@bugs.debian.org
In-reply-to: <[🔎] 20060428132647.GA10629@boogie.lpds.sztaki.hu>
References: <[🔎] 20060427144032.GB25140@mbuki-mvuki.org> <[🔎] 20060428102401.GB7612@boogie.lpds.sztaki.hu> <[🔎] 20060428120338.GA7651@mbuki-mvuki.org> <[🔎] 20060428132647.GA10629@boogie.lpds.sztaki.hu>

> On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote:
> 
> > Why it it defined that getgrouplist() and initgroups() _always_
> > enumerate all NSS goups?
> 
> Just think about the simple case when an user defined in /etc/passwd is
> also a member of a group that is only defined in LDAP. getgrouplist()
> and initgroups() MUST support this.

I do understand why this feature is needed. However, the additional 
feature of having the ability to disable this function is also needed.
It is quite common to not have any of the users, used for system
daemons, to be included in groups found in network directories. It seems
needless to query network directories for system daemons such as apache.

> Or an other viewpoint: when enumerating entries neither the "SUCCESS"
> nor the "NOTFOUND" conditions occur until all backends are exhausted, so
> [SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration.
> 
> Btw. both the nsswitch.conf man page and the glibc documentation say:
> 
> 	The second item in the specification gives the user much finer
> 	control on  the  lookup  process.
> 
> So they only mention the _lookup_ process (i.e. getXXbyYY()), they do
> not say that action statements would have any effect on enumeration.

Enumeration is a lookup process, so I still think the man page is
unclear, as to what effect the action statement will have in the group
database option.

> > This can cause problems for system daemons. For
> > instance apache2 does an initgroups every time it spawns a thread, which
> > results in my ldap servers being pounded when I have high load on my
> > webservers. Nscd is a possible solution to the problem, but the version
> > in stable does not cache initgroup requests, and the version in unstable
> > invalidates them prematurely. Having the ability to not search other
> > databases for local name service lookups seems like a valuable function.
> 
> That is a well-known scenario and the usual advice is "do not use LDAP
> as the group NSS backend".

Given that one of the main features of LDAP and NIS are consistent
groups across all machines, I think it would be beneficial to support
querying network directories selectively.

Reply to:

Follow-Ups:
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: Gabor Gombas <gombasg@sztaki.hu>

References:
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: Gabor Gombas <gombasg@sztaki.hu>
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: "Jesse W. Hathaway" <jesse@mbuki-mvuki.org>
- Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
  - From: Gabor Gombas <gombasg@sztaki.hu>

Prev by Date: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Next by Date: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Previous by thread: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Next by thread: Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Index(es):
- Date
- Thread