Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Gabor Gombas]

On Thu, Apr 27, 2006 at 10:40:32AM -0400, Jesse W. Hathaway wrote:

[...]
struct passwd *pw = getpwnam(user);
if (pw == NULL)
   return 0;
 
if (getgrouplist(user, pw-pw_gid, NULL, ng)  0) {
   groups = (gid_t *) malloc(ng * sizeof (gid_t));
   getgrouplist(user, pw-pw_gid, groups, ng);
}
[...]

 doing an strace on the above program when searching for a user in
 /etc/passwd shows ldap being searched, with or without [SUCCESS=return]
 in nsswitch.conf.

The above is not a good example.  Do LDAP lookups happen with a single
getpwnam() call _only_? If yes, then it is a bug, otherwise it's not.

getgrouplist() and initgroups() will _always_ enumerate all NSS group
data sources regardless of action statements. It may be unfortunate
sometimes due to the generated load, but this is how their semantics are
defined. The only solution is not to use LDAP for the group database at
all.

 Changing nsswitch to [UNAVAIL=return] disables ldap
 lookups for all requests even if the user is not in /etc/passwd.

Note that the UNAVAIL status refers only to the generic availability of
the service, it has nothing to do with the user being defined or not.

That said, files [UNAVAIL=return] ldap should not disable ldap (quite
the contrary, it should have basically no effect unless you delete
/etc/passwd etc.), so this may need further investigation.

Gabor

-- 
 -
 MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
 -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Jesse W. Hathaway]

 On Thu, Apr 27, 2006 at 10:40:32AM -0400, Jesse W. Hathaway wrote:
 
 [...]
 struct passwd *pw = getpwnam(user);
 if (pw == NULL)
return 0;
  
 if (getgrouplist(user, pw-pw_gid, NULL, ng)  0) {
groups = (gid_t *) malloc(ng * sizeof (gid_t));
getgrouplist(user, pw-pw_gid, groups, ng);
 }
 [...]
 
  doing an strace on the above program when searching for a user in
  /etc/passwd shows ldap being searched, with or without [SUCCESS=return]
  in nsswitch.conf.
 
 The above is not a good example.  Do LDAP lookups happen with a single
 getpwnam() call _only_? If yes, then it is a bug, otherwise it's not.
 
 getgrouplist() and initgroups() will _always_ enumerate all NSS group
 data sources regardless of action statements. It may be unfortunate
 sometimes due to the generated load, but this is how their semantics are
 defined. The only solution is not to use LDAP for the group database at
 all.

If this is the case then why does the man page for nsswitch.conf give
the option of specifying [SUCCESS=return] for the group database, when
this has no effect on the above functions? I think it should be noted
in nsswitch.conf's man page that the entire group list is alwasy 
searched.

Why it it defined that getgrouplist() and initgroups() _always_
enumerate all NSS goups? This can cause problems for system daemons. For
instance apache2 does an initgroups every time it spawns a thread, which
results in my ldap servers being pounded when I have high load on my
webservers. Nscd is a possible solution to the problem, but the version
in stable does not cache initgroup requests, and the version in unstable
invalidates them prematurely. Having the ability to not search other
databases for local name service lookups seems like a valuable function.

  Changing nsswitch to [UNAVAIL=return] disables ldap
  lookups for all requests even if the user is not in /etc/passwd.
 
 Note that the UNAVAIL status refers only to the generic availability of
 the service, it has nothing to do with the user being defined or not.
 
 That said, files [UNAVAIL=return] ldap should not disable ldap (quite
 the contrary, it should have basically no effect unless you delete
 /etc/passwd etc.), so this may need further investigation.
 
 Gabor


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Gabor Gombas]

On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote:

 Why it it defined that getgrouplist() and initgroups() _always_
 enumerate all NSS goups?

Just think about the simple case when an user defined in /etc/passwd is
also a member of a group that is only defined in LDAP. getgrouplist()
and initgroups() MUST support this.

Or an other viewpoint: when enumerating entries neither the SUCCESS
nor the NOTFOUND conditions occur until all backends are exhausted, so
[SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration.

Btw. both the nsswitch.conf man page and the glibc documentation say:

The second item in the specification gives the user much finer
control on  the  lookup  process.

So they only mention the _lookup_ process (i.e. getXXbyYY()), they do
not say that action statements would have any effect on enumeration.

 This can cause problems for system daemons. For
 instance apache2 does an initgroups every time it spawns a thread, which
 results in my ldap servers being pounded when I have high load on my
 webservers. Nscd is a possible solution to the problem, but the version
 in stable does not cache initgroup requests, and the version in unstable
 invalidates them prematurely. Having the ability to not search other
 databases for local name service lookups seems like a valuable function.

That is a well-known scenario and the usual advice is do not use LDAP
as the group NSS backend.

Gabor

-- 
 -
 MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
 -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Jesse W. Hathaway]

 On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote:
 
  Why it it defined that getgrouplist() and initgroups() _always_
  enumerate all NSS goups?
 
 Just think about the simple case when an user defined in /etc/passwd is
 also a member of a group that is only defined in LDAP. getgrouplist()
 and initgroups() MUST support this.

I do understand why this feature is needed. However, the additional 
feature of having the ability to disable this function is also needed.
It is quite common to not have any of the users, used for system
daemons, to be included in groups found in network directories. It seems
needless to query network directories for system daemons such as apache.

 Or an other viewpoint: when enumerating entries neither the SUCCESS
 nor the NOTFOUND conditions occur until all backends are exhausted, so
 [SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration.
 
 Btw. both the nsswitch.conf man page and the glibc documentation say:
 
   The second item in the specification gives the user much finer
   control on  the  lookup  process.
 
 So they only mention the _lookup_ process (i.e. getXXbyYY()), they do
 not say that action statements would have any effect on enumeration.

Enumeration is a lookup process, so I still think the man page is
unclear, as to what effect the action statement will have in the group
database option.

  This can cause problems for system daemons. For
  instance apache2 does an initgroups every time it spawns a thread, which
  results in my ldap servers being pounded when I have high load on my
  webservers. Nscd is a possible solution to the problem, but the version
  in stable does not cache initgroup requests, and the version in unstable
  invalidates them prematurely. Having the ability to not search other
  databases for local name service lookups seems like a valuable function.
 
 That is a well-known scenario and the usual advice is do not use LDAP
 as the group NSS backend.

Given that one of the main features of LDAP and NIS are consistent
groups across all machines, I think it would be beneficial to support
querying network directories selectively.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Gabor Gombas]

On Fri, Apr 28, 2006 at 10:51:38AM -0400, Jesse W. Hathaway wrote:

 I do understand why this feature is needed. However, the additional 
 feature of having the ability to disable this function is also needed.
 It is quite common to not have any of the users, used for system
 daemons, to be included in groups found in network directories. It seems
 needless to query network directories for system daemons such as apache.

Yes, in some cases such a feature would be useful, but that feature
currently does not exist.

 Enumeration is a lookup process, so I still think the man page is
 unclear, as to what effect the action statement will have in the group
 database option.

The documentation might be improved, but the documentation of SUCCESS
talks about the wanted entry and the documentation of NOTFOUND talks
about the needed value, both terms having no meaning for enumeration.
Well, you can interpret those terms as all possible entries; either
way you get that SUCCESS and NOTFOUND action rules have no effect on
enumeration.

 Given that one of the main features of LDAP and NIS are consistent
 groups across all machines, I think it would be beneficial to support
 querying network directories selectively.

I think the reason this was not solved much easier is that it is not a
problem for NIS/NIS+. They need much less resources than LDAP.
Enumerating over a couple thousand users using NIS+ was not a problem
when I last did it; doing the same with LDAP produces quite a
significant load.

Gabor

-- 
 -
 MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences,
 Laboratory of Parallel and Distributed Systems
 Address   : H-1132 Budapest Victor Hugo u. 18-22. Hungary
 Phone/Fax : +36 1 329-78-64 (secretary)
 W3: http://www.lpds.sztaki.hu
 -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Jesse W. Hathaway]

 On Fri, Apr 28, 2006 at 10:51:38AM -0400, Jesse W. Hathaway wrote:
 
  I do understand why this feature is needed. However, the additional 
  feature of having the ability to disable this function is also needed.
  It is quite common to not have any of the users, used for system
  daemons, to be included in groups found in network directories. It seems
  needless to query network directories for system daemons such as apache.
 
 Yes, in some cases such a feature would be useful, but that feature
 currently does not exist.
 
  Enumeration is a lookup process, so I still think the man page is
  unclear, as to what effect the action statement will have in the group
  database option.
 
 The documentation might be improved, but the documentation of SUCCESS
 talks about the wanted entry and the documentation of NOTFOUND talks
 about the needed value, both terms having no meaning for enumeration.
 Well, you can interpret those terms as all possible entries; either
 way you get that SUCCESS and NOTFOUND action rules have no effect on
 enumeration.
 
  Given that one of the main features of LDAP and NIS are consistent
  groups across all machines, I think it would be beneficial to support
  querying network directories selectively.
 
 I think the reason this was not solved much easier is that it is not a
 problem for NIS/NIS+. They need much less resources than LDAP.
 Enumerating over a couple thousand users using NIS+ was not a problem
 when I last did it; doing the same with LDAP produces quite a
 significant load.

This might be the case, that NIS handles the queries faster, however
with either directory server, the loss of network connectivity should not
impact the system daemons. A laptop is a good example of a system where 
this situation occurs on a regular basis.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf

[Jesse W. Hathaway]

Package: libc6
Version: 2.3.6-7

with nsswitch.conf set to

passwd: files ldap
group:  files ldap
shadow: files ldap

When looking up groups for which a user is a member, libc searches
both files and ldap, even if the user is present in files. This is
contrary to what is stated in the manpage.

success
   No error occurred and the wanted entry is returned.
   The default action for this is ‘return’.

In addition even if the return is added explicitly:

passwd: files [SUCCESS=return] ldap
group:  files [SUCCESS=return] ldap
shadow: files [SUCCESS=return] ldap

both files and ldap are still searched:

test program:

#include stdio.h
#include stdlib.h
#include string.h
#include grp.h
#include pwd.h

int main(int argc, char *argv[]) {
   int i, ng = 0;
   int length;
   char *user;
   gid_t *groups = NULL;

   if(argc != 2) {
  printf(Usage: grouptest username\n);
  exit(1);
   }
   length = strlen(argv[1]) + 1;
   user = (char *) malloc(length);
   if (user == NULL) {
  printf(Error on malloc);
  exit(1);
   }
   strcpy(user,argv[1]);
   printf(%s groups:\n,user);
   struct passwd *pw = getpwnam(user);
   if (pw == NULL)
  return 0;

   if (getgrouplist(user, pw-pw_gid, NULL, ng)  0) {
  groups = (gid_t *) malloc(ng * sizeof (gid_t));
  getgrouplist(user, pw-pw_gid, groups, ng);
   }

   for(i = 0; i  ng; i++)
  printf(%d\n, groups[i]);
   return 0;
}

doing an strace on the above program when searching for a user in
/etc/passwd shows ldap being searched, with or without [SUCCESS=return]
in nsswitch.conf. Changing nsswitch to [UNAVAIL=return] disables ldap
lookups for all requests even if the user is not in /etc/passwd.

-Jesse