Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Thu, Apr 27, 2006 at 10:40:32AM -0400, Jesse W. Hathaway wrote:
[...]
> struct passwd *pw = getpwnam(user);
> if (pw == NULL)
> return 0;
>
> if (getgrouplist(user, pw->pw_gid, NULL, &ng) < 0) {
> groups = (gid_t *) malloc(ng * sizeof (gid_t));
> getgrouplist(user, pw->pw_gid, groups, &ng);
> }
[...]
> doing an strace on the above program when searching for a user in
> /etc/passwd shows ldap being searched, with or without [SUCCESS=return]
> in nsswitch.conf.
The above is not a good example. Do LDAP lookups happen with a single
getpwnam() call _only_? If yes, then it is a bug, otherwise it's not.
getgrouplist() and initgroups() will _always_ enumerate all NSS group
data sources regardless of action statements. It may be unfortunate
sometimes due to the generated load, but this is how their semantics are
defined. The only solution is not to use LDAP for the group database at
all.
> Changing nsswitch to [UNAVAIL=return] disables ldap
> lookups for all requests even if the user is not in /etc/passwd.
Note that the UNAVAIL status refers only to the generic availability of
the service, it has nothing to do with the user being defined or not.
That said, "files [UNAVAIL=return] ldap" should not disable ldap (quite
the contrary, it should have basically no effect unless you delete
/etc/passwd etc.), so this may need further investigation.
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
Reply to: