GNU bug report logs - #70992
[PATCH] services: nscd: Enable ‘passwd’ and ‘group’ caches by default.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Thu, 16 May 2024 21:03:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludovic.courtes <at> inria.fr>
Subject: [PATCH] services: nscd: Enable ‘passwd’ and ‘group’ caches by default.
Date: Thu, 16 May 2024 23:01:45 +0200

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>

This allows users to specify NSS plugins such as LDAP via the
‘name-services’ field of <nscd-configuration>.  Failing that, user code
will dlopen whatever passwd/group plugins are listed in
/etc/nsswitch.conf, which is likely to fail, typically because those are
not in $LD_LIBRARY_PATH.

* gnu/services/base.scm (%nscd-default-caches): Add ‘passwd’ and ‘group’
caches.

Change-Id: I9c03346a1de2710685f7801eccd2e08007427f5d
---
 gnu/services/base.scm | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

Hi!

I realized by looking at ‘strace id’ that our nscd instance was replying
negatively to passwd and group lookups (to my surprise).  Turns out we
need to explicitly enable caching of a database in nscd.conf if we want
nscd to honor lookups for that database.

We really need nscd to honor passwd/group lookups if we want to support
NSS plugins like LDAP or sss.  (Now I realize that this is something
Jean-François et al. probably experienced with their OpenLDAP service
at <https://issues.guix.gnu.org/52578>.)

Thoughts?

Ludo’.

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 85160bd3abb..15f3807efcc 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1340,7 +1340,22 @@ (define %nscd-default-caches
                     (positive-time-to-live (* 3600 24))
                     (negative-time-to-live 3600)
                     (check-files? #t)             ;check /etc/services changes
-                    (persistent? #t))))
+                    (persistent? #t))
+
+        ;; Enable minimal caching of the user databases, not so much for
+        ;; caching but rather to allow that uses of NSS plugins like LDAP
+        ;; don't lead user processes to dlopen them (which is likely to fail
+        ;; due to them not being found in $LD_LIBRARY_PATH).
+        (nscd-cache (database 'passwd)
+                    (positive-time-to-live 600)
+                    (negative-time-to-live 20)
+                    (check-files? #t)             ;check /etc/passwd changes
+                    (persistent? #f))
+        (nscd-cache (database 'group)
+                    (positive-time-to-live 600)
+                    (negative-time-to-live 20)
+                    (check-files? #t)             ;check /etc/group changes
+                    (persistent? #f))))
 
 (define-deprecated %nscd-default-configuration
   #f

base-commit: 58be9a79e2862d5fa9842d73f498ce2e5442b9ce
-- 
2.41.0
This bug report was last modified 353 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.