On Sun, Jan 27, 2013 at 03:15:07PM +0100, Santiago Vila wrote: > El 27/01/13 15:08, Roger Leigh escribió: > >On Sun, Jan 27, 2013 at 12:18:30PM +0000, Roger Leigh wrote: > >>Hi Santiago, > >> > >>I've attached a patch for adding support for the "gshadow" > >>(group shadow) NSS database to nsswitch.conf. Without this, > >>the libc getsg* family of functions will not work, hence > >>marking serious or else these functions will be broken for > >>new installations; would also be nice if it was possible to > >>add for upgrades as well? Do we have any mechanism for > >>making NSS updates? > >> > >>Note that it's using the "files" service rather than "compat" > >>here because "compat" does not support gshadow, but "files" > >>does (can be tested by running "getent gshadow" as root). > > > >Updated patch attached. This will upgrade nsswitch.conf in-place > >on upgrade to add support for gshadow for existing installations, > >while new installs will get the new nsswitch.conf by default. > >Note that it's only run for upgrades from base-files<< 7.2, so > >will only be run once. > > > >The sed script will insert the new entry after the shadow entry > >if present, to make it identical to the default nsswitch.conf, > >otherwise it will be inserted after the group entry which it > >matches. > > No, no, no. Any upgrade mechanism should be in libc-bin. > This file does not belong to base-files, really. > > If we got to the point that we desesperately need to upgrade the > file, libc-bin should be the package doing it.
OK. Maybe for jessie we should remove nsswitch from base-files entirely and move it, and updating it, to libc-bin. > >On #debian-devel, we discussed the security implications of > >enabling this by default, > > Please let us discuss this in the open. The logs for this bug should > be a good place. > > I have yet to see what is so broken to justify the serious severity. > (see my earlier email). I'll reply to those questions here: > * Is this a new problem, or it is an old problem that nobody noticed > until now? It was supposed to be fixed in squeeze. The glibc parts (NSS, getent) were updated to support it. But nsswitch wasn't, and it wasn't updated for wheezy either. I saw glibc had been fixed, and that getent ran without error, but didn't fully appreciate that it wasn't configured to actually *work* until today. > * How many users are affected by this? Does this affect the average user? Not the average user. But it does affect any system which wishes to use *group* shadow passwords (gpasswd). The reason for the severity of the bug was that I don't believe we should be releasing with such a basic (if not widely used) aspect of system functionality being broken out of the box. > * How is it possible that we didn't notice until now? Largely due to the fact that this is a specialised and not frequently used facility, and that it *does* work if you edit nsswitch.conf by yourself to add the gshadow database. But by default it won't work at all. > * What package, exactly, does break by *not* having the proposed line? passwd (gpasswd), and any program making use of the set|getsgent family of functions in glibc. There aren't a huge amount at present. newgrp (login/shadow) implements its own set of functions; which is itself broken due to not using NSS (which is currently not possible due to the above issues). > (I use NIS and NFS in a computer lab, and it works, so it is hard for me to > believe that this is RC for wheezy). None of this will be broken; it's solely group shadow passwords which break, so won't be noticable unless you want a group login or to perform some other action which requires password validation using the group shadow db. > * What is glibc default value for such line if missing from nsswitch.conf? > Should this not be *also* a bug in glibc for not having sane defaults? I guess so. It should behave as for the passwd/shadow/group defaults. > [ Update: A simple search tells me you have also filed #699089 against > libc-bin for this reason ]. This is a related, but separate reason. gpasswd is supported by "files" but not "compat" (there's not really a compelling reason for it to be backward compatible, but it would be useful to have to prevent people using compat for everything and then having a broken gpasswd). I'm unsure why we aren't just using "files" for new installs by default across the board, but that's a separate issue. >> would also be nice if it was possible to >> add for upgrades as well? Do we have any mechanism for >> making NSS updates? > No, we don't have a mechanism for upgrades, but if we had to do that, > the right package for doing it would be libc-bin: OK. Maybe this should be cloned and reassigned to libc-bin so that after wheezy, we can - drop nsswitch.conf from base-files - move nsswitch.conf to libc-bin - update nsswitch.conf in libc-bin (using the logic in the patch here, or an update tool to be written). Kind regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
