Bug#1018001: dh-nss should handle when multiple binary packages modify NSS

Tue, 23 Aug 2022 14:33:18 -0700 

Package: dh-nss
Version: 1.5
Severity: medium

Hello,

sssd has recently moved to dh-nss and now its dep8 tests are failing.
The reason is because the migration to dh-nss was done for libsss-nss,
but libsss-sudo also performs modifications to /etc/nsswitch.conf.

dh-nss generates the following snippet inside d/libsss-nss.postinst:

--8<---------------cut here---------------start------------->8---
# Automatically added by dh_installnss/1.5
if [ "$1" = "configure" ] && [ -e "${DPKG_ROOT}/etc/nsswitch.conf" ] ; then
        if ! grep -q -E '^[^#:]+:[^#]*\s(sss)(\s|#|$)' 
"${DPKG_ROOT}/etc/nsswitch.conf" ; then
                # Installing passwd/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^passwd:\s[^#]*$/ s/$/ sss/' -e '/^passwd:\s.*#/ s/#/ sss #/'
                # Installing group/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^group:\s[^#]*$/ s/$/ sss/' -e '/^group:\s.*#/ s/#/ sss #/'
                # Installing shadow/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^shadow:\s[^#]*$/ s/$/ sss/' -e '/^shadow:\s.*#/ s/#/ sss #/'
                # Installing netgroup/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^netgroup:\s[^#]*$/ s/$/ sss/' -e '/^netgroup:\s.*#/ s/#/ sss #/'
                # Installing services/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^services:\s[^#]*$/ s/$/ sss/' -e '/^services:\s.*#/ s/#/ sss #/'
                # Installing automount/sss from libnss-sss in position last
                sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e 
'/^automount:\s[^#]*$/ s/$/ sss/' -e '/^automount:\s.*#/ s/#/ sss #/'
        fi
fi
# End automatically added section
--8<---------------cut here---------------end--------------->8---

The problem is that, when libsss-sudo is installed before libsss-nss,
there will already be an entry containing "sss" in /etc/nsswitch.conf.
Because of that, the snippet above doesn't get executed and the
nsswitch.conf file isn't updated.

I read dh_installnss' manpage and source code but I couldn't find an
easy way to workaround this problem.  Ideally, the first grep should be
trying to match the db's specified at the debian/*.nss file, instead of
using a generic match.

Thanks,

-- 
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF  31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
https://sergiodj.net/

Attachment: signature.asc
Description: PGP signature

Reply via email to