On Wed, Mar 07, 2018 at 02:00:03PM +0100, Florian Weimer wrote:
> On 03/07/2018 01:55 PM, Stephen Gallagher wrote:
> >Yes, SSSD monitors those files and automatically cleans its cache.
> >
> >However, you're right. On systems not using SSSD (which I suspect is a
> >nontrivial number of systems running systemd...), people are probably still
> >using nss and we should call `nscd -i passwd` (plus `group` and `shadow`
> >where appropriate) if the nscd service is running.
> nscd is supposed to monitor these files, too.
> But is this monitoring sufficient?  RPM will immediately start
> installing files after the scriptlet has finished.  nscd and SSSD
> may not have completed their cache invalidation at this point, so
> this looks like a race condition to me.

That sounds like a bug in the cache implementation. nscd and sssd
simply _must_ ensure that their copy of passwd is the latest one.
Shouldn't be a problem to call fstatat() before generating an answer
an invalidate the cache if it returns a different mtime then previously.

devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to