Control: title -1 nscd caches "wrong" name for accounts with the same uid Control: found -1 2.37-15
Rehashing this 17-years old bug which biten me today quite hard. On Mon, 12 Feb 2007 22:55:28 -0500 Yaroslav Halchenko <deb...@onerussian.com> wrote:
Today, after unsucsessful attempt to login as sashroot, I've got somewhat broken system -- all processes running under uid=0 were reported belonging to sashroot. Due to lack of knowledge of nss internals I inquired on -devel mailing list and it seems that multiple accounts sharing uid=0 might be considered a bad practice. For more details see http://lists.debian.org/debian-devel/2007/02/msg00323.html thread. If you can prove that it is 'documented feature of nss' to resolve in some deterministic way a uid whenever multiple ones are possible, then probably this bug has to be reassigned against libc6 to which libnss_files belongs. Since this bug might drive whole system broken, I am assigning it important priority, since a big proportion of sash users probably use sashroot account feature.
The problem here is that nscd caches both username and uid on each lookup, instead of caching just the lookup which has been asked, and doing the other lookup the normal way as would be done by getpwnam/getpwuid (and similar for getgrnam/getgrgid etc). For very long time we relied on multiple special accounts having the same uid, exactly like this very sashroot case. We had this for a few system/special accounts. Each name has its own password and/or ssh keys (when in use), and each does start/manage its subsystem with the right permissions. Now, with normal getpwuid(), it will return the first entry with the given uid. But in case of nscd, it returns last looked up entry with this uid instead. Eg, we have root and r_mjt, - when I run getpwnam(root), getpwuid(0) will return the same entry. But once I looked up getpwname(r_mjt), getpwuid(0) will return r_mjt instead of root from now on. Here's another incarnation of the very same theme: https://run.tournament.org.il/multiple-users-with-the-same-uid-gid/ I guess they use oracle rdbms, and for this one it is also very helpful to have 2-3 accounts with the same uid, for managing purposes. And it breaks badly with nscd too. Why this bug is marked 'wontfix'? Thanks, /mjt