2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
AUTOMAKE_OPTIONS = 1.0 foreign
|
|
|
|
|
2021-08-18 23:36:02 +05:30
|
|
|
DEFS =
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-12-26 14:48:45 +05:30
|
|
|
noinst_LTLIBRARIES = libshadow.la
|
2007-10-07 17:14:51 +05:30
|
|
|
|
2019-09-20 13:57:31 +05:30
|
|
|
libshadow_la_CPPFLAGS = $(ECONF_CPPFLAGS)
|
|
|
|
if HAVE_VENDORDIR
|
|
|
|
libshadow_la_CPPFLAGS += -DVENDORDIR=\"$(VENDORDIR)\"
|
|
|
|
endif
|
2007-10-07 17:14:51 +05:30
|
|
|
|
2021-07-24 04:21:13 +05:30
|
|
|
libshadow_la_CPPFLAGS += -I$(top_srcdir)
|
|
|
|
|
2007-10-07 17:14:51 +05:30
|
|
|
libshadow_la_SOURCES = \
|
|
|
|
commonio.c \
|
|
|
|
commonio.h \
|
|
|
|
defines.h \
|
|
|
|
encrypt.c \
|
2007-10-07 17:16:52 +05:30
|
|
|
exitcodes.h \
|
2007-10-07 17:14:51 +05:30
|
|
|
faillog.h \
|
2011-02-17 02:02:16 +05:30
|
|
|
fields.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
fputsx.c \
|
|
|
|
getdef.c \
|
|
|
|
getdef.h \
|
2009-03-22 01:54:37 +05:30
|
|
|
get_gid.c \
|
2009-04-11 04:05:26 +05:30
|
|
|
getlong.c \
|
2009-04-25 04:58:15 +05:30
|
|
|
get_pid.c \
|
2009-03-22 01:54:37 +05:30
|
|
|
get_uid.c \
|
2009-04-25 04:58:15 +05:30
|
|
|
getulong.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
groupio.c \
|
2007-11-19 04:50:02 +05:30
|
|
|
groupmem.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
groupio.h \
|
|
|
|
gshadow.c \
|
|
|
|
lockpw.c \
|
subids: support nsswitch
Closes #154
When starting any operation to do with subuid delegation, check
nsswitch for a module to use. If none is specified, then use
the traditional /etc/subuid and /etc/subgid files.
Currently only one module is supported, and there is no fallback
to the files on errors. Several possibilities could be considered:
1. in case of connection error, fall back to files
2. in case of unknown user, also fall back to files
etc...
When non-files nss module is used, functions to edit the range
are not supported. It may make sense to support it, but it also
may make sense to require another tool to be used.
libsubordinateio also uses the nss_ helpers. This is how for instance
lxc could easily be converted to supporting nsswitch.
Add a set of test cases, including a dummy libsubid_zzz module. This
hardcodes values such that:
'ubuntu' gets 200000 - 300000
'user1' gets 100000 - 165536
'error' emulates an nss module error
'unknown' emulates a user unknown to the nss module
'conn' emulates a connection error ot the nss module
Changes to libsubid:
Change the list_owner_ranges api: return a count instead of making the array
null terminated.
This is a breaking change, so bump the libsubid abi major number.
Rename free_subuid_range and free_subgid_range to ungrant_subuid_range,
because otherwise it's confusing with free_subid_ranges which frees
memory.
Run libsubid tests in jenkins
Switch argument order in find_subid_owners
Move the db locking into subordinateio.c
Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-02-01 05:08:20 +05:30
|
|
|
nss.c \
|
2007-10-07 17:15:23 +05:30
|
|
|
nscd.c \
|
|
|
|
nscd.h \
|
2021-11-29 05:07:53 +05:30
|
|
|
shadowlog.c \
|
|
|
|
shadowlog.h \
|
Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
2018-09-12 17:52:11 +05:30
|
|
|
sssd.c \
|
|
|
|
sssd.h \
|
2007-10-07 17:14:51 +05:30
|
|
|
pam_defs.h \
|
|
|
|
port.c \
|
|
|
|
port.h \
|
|
|
|
prototypes.h \
|
|
|
|
pwauth.c \
|
|
|
|
pwauth.h \
|
|
|
|
pwio.c \
|
|
|
|
pwio.h \
|
2007-11-19 04:50:02 +05:30
|
|
|
pwmem.c \
|
2020-03-13 02:44:57 +05:30
|
|
|
run_part.h \
|
|
|
|
run_part.c \
|
2013-01-22 14:44:35 +05:30
|
|
|
subordinateio.h \
|
|
|
|
subordinateio.c \
|
2011-12-10 03:43:02 +05:30
|
|
|
selinux.c \
|
2011-12-10 03:00:19 +05:30
|
|
|
semanage.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
sgetgrent.c \
|
|
|
|
sgetpwent.c \
|
2009-04-11 04:05:43 +05:30
|
|
|
sgetspent.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
sgroupio.c \
|
|
|
|
sgroupio.h\
|
|
|
|
shadow.c \
|
|
|
|
shadowio.c \
|
|
|
|
shadowio.h \
|
2007-11-19 04:50:02 +05:30
|
|
|
shadowmem.c \
|
2011-08-20 19:03:38 +05:30
|
|
|
spawn.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
utent.c
|
|
|
|
|
2010-01-30 Paweł Hajdan, Jr. <phajdan.jr@gentoo.org>
* NEWS: Add support for TCB.
* lib/tcbfuncs.h, lib/tcbfuncs.c, lib/Makefile.am: New library to
support TCB.
* lib/prototypes, libmisc/copydir.c (remove_tree): Add boolean
parameter remove_root.
* configure.in: Add conditional WITH_TCB.
* src/userdel.c, src/usermod.c: Add support for TCB. Update call to
remove_tree().
* src/pwconv.c, src/pwunconv.c: Should not be used with TCB enabled.
* src/vipw.c: Add support for TCB. Update call to remove_tree().
* src/useradd.c: Add support for TCB. Open the shadow file outside
of open_files().
* src/chage.c: Add support for TCB.
* src/Makefile.am: Install passwd sgid shadow when TCB is enabled.
* lib/getdefs.c, man/vipw.8.xml, man/login.defs.5.xml,
man/login.defs/TCB_AUTH_GROUP.xml, man/login.defs/USE_TCB.xml,
man/login.defs/TCB_SYMLINKS.xml, man/generate_mans.mak,
man/generate_mans.deps, man/Makefile.am: New configuration
parameters: TCB_AUTH_GROUP, TCB_SYMLINKS, USE_TCB.
* lib/shadowio.c, lib/commonio.c: Add support for TCB.
2010-03-04 23:41:13 +05:30
|
|
|
if WITH_TCB
|
|
|
|
libshadow_la_SOURCES += tcbfuncs.c tcbfuncs.h
|
|
|
|
endif
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
# These files are unneeded for some reason, listed in
|
|
|
|
# order of appearance:
|
|
|
|
#
|
|
|
|
# sources for dbm support (not yet used)
|
|
|
|
|
2007-10-07 17:14:51 +05:30
|
|
|
EXTRA_DIST = \
|
|
|
|
.indent.pro \
|
2007-10-07 17:15:58 +05:30
|
|
|
gshadow_.h
|