Re: nsswitch

To: tech-userlevel%netbsd.org@localhost
Subject: Re: nsswitch
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Sun, 5 Jul 2015 17:05:23 +0000

On Sun, Jul 05, 2015 at 12:49:37PM +0200, Edgar Fu? wrote:
 > > Comments?
 > It's reassuring to see that someone seems to care about nsswitch.
 > Seing no comment on PR#49804 made me believe otherwise.

There's an unfortunate tendency for new package submissions to sit
around, regardless of what they're about...

 > >    - therefore the nsswitch logic needs to support forking
 > >      subprocesses as an alternative to loading .so plugin files;
 >
 > As this would make the libraries pulled in by the NSS method not being 
 > pulled in to the libc consumer, I would regard this as a big win. I 
 > regularily ran into problems (before switching to nslcd) with nss_ldap 
 > pulling in a different (e.g. pkgsrc vs. base, _r vs. non-_r) version of 
 > libldap, libcrypto or whatever.

I imagine there's no chance of a nsswitch plugin .so file working if
it uses pkgsrc openssl and base openssl is a different version.

(The dlfcn(3) man page remains unclear on whether a dlopen'd image can
have an isolated symbol name scope, but my understanding has always
been that this sort of thing doesn't work.)

 > But wouldn't it be a more general approach to rip most of the code out of 
 > libc and switch to a client/server model? I.e. a nsswitchd listening on a 
 > socket?

I have been thinking about that too; the problem with this is that
anytime you have a daemon, the daemon can die... and with nsswitch
that becomes critical: if you can't look up passwords you can't su to
restart the daemon. Plus since the daemon itself is necessarily linked
to libc, you get into an interesting situation if it itself
accidentally tries to use anything nsswitched.

So maybe it should be supported as a supplementary method, and
connecting to an already-running global daemon is only slightly
different from forking a private one, but I don't think it should be
the general method.

 > I think to remember IRIX using an elegant solution with a
 > pseudo-filesystem, but the drawback would be how to add custom
 > sources to it.

Not sure I follow how this would be set up: libc reads from (e.g.)
/nsswitch/passwd, and /nsswitch is a virtual fs whose usermode driver
knows how to e.g. do NIS?

 > > I only see two in pkgsrc.
 > There would be another one if somebody cared to import my nslcd port.

ok three :-)  That's still not too many to patch.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: nsswitch
  - From: Edgar Fuß

References:
- nsswitch
  - From: David Holland
- Re: nsswitch
  - From: Edgar Fuß

Prev by Date: Re: newfs_udf(8) and wedges
Next by Date: Re: nsswitch
Previous by Thread: Re: nsswitch
Next by Thread: Re: nsswitch
Indexes:

Home | Main Index | Thread Index | Old Index