[rsbac] nsswitch and pam configuration for UM

Palon Setin palons at danwin1210.me
Thu Dec 13 04:30:00 CET 2018

Palon Setin:
> Hi!
> I have no issue compiling and installing. I'm running the latest
> 4.19.8-rsbac.
I meant, I have the necessary knowhow. I've, however noticed that the
latest rsbac patch, for kernel 4.19.8, apparently conflicts with xfs
filesystem config option. Unless I set CONFIG_XFS_FS=n, the kernel
wouldn't compiled. If this is not yet known to you, I can send details.

> But I can't find any help with configuring /etc/nsswitch.conf and
> /etc/pam.d/*.
Of course I first tried to follow:
where this is my current goal:

"For soft migration and first tries, you can run passwd/shadow and RSBAC
UM in parallel for a while, before you turn the first off: In
nsswitch.conf change “compat” to “compat rsbac”, in /etc/pam.d/* add "
sufficient pam_rsbac.so” before the pam_unix.so line."

And, as often, making the right question helps you find (some) answers,
I see that this  removal of:

> 29.2.3 Notes on the NSS Configuration File
> ------------------------------------------
> Finally a few more hints. ...
> ...    The ‘passwd’, ‘group’, and ‘shadow’ databases are traditionally
> handled in a special way.  ... This kind of lookup remains possible if
> the GNU C
> Library was configured with the ‘--enable-obsolete-nsl’ option and the
> special lookup service ‘compat’ is used.  If the GNU C Library was
> configured with the ‘--enable-obsolete-nsl’ option the default value for
> the three databases above is ‘compat [NOTFOUND=return] files’.  If the
> ‘--enable-obsolete-nsl’ option was not used the default value for the
> services is ‘files’.

(that removal) is still in progress in the Linux world:
where it was news just over only one year ago (I'm running Debian

> I'm not even in the clear which package contains /etc/nsswitch.conf in
> the stock Debian install... And I have no experience compiling libc...

This is my package:
# apt-cache policy libc6
  Installed: 2.27-8
  Candidate: 2.27-8

which is the current stable as per:

# dpkg -L libc6 | grep nss

it does not hold the /etc/nsswitch.conf file, and I mean I'm not in the

> Is it necessary to recompile (and which package exactly of) libc with
> ‘--enable-obsolete-nsl’ to get the tip in the current rsbac-admin
> implementable?
(I'm not in the clear) which exact package installs /etc/nsswitch.conf
in Debian?

Any tips, and help, most welcome!

Palon Setin

More information about the rsbac mailing list