[rsbac] nsswitch and pam configuration for UM

Palon Setin palons at danwin1210.me
Thu Dec 13 04:30:00 CET 2018 


Palon Setin:
> Hi!
> I have no issue compiling and installing. I'm running the latest
> 4.19.8-rsbac.
I meant, I have the necessary knowhow. I've, however noticed that the
latest rsbac patch, for kernel 4.19.8, apparently conflicts with xfs
filesystem config option. Unless I set CONFIG_XFS_FS=n, the kernel
wouldn't compiled. If this is not yet known to you, I can send details.

> But I can't find any help with configuring /etc/nsswitch.conf and
> /etc/pam.d/*.
Of course I first tried to follow:
https://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/user_management
where this is my current goal:

"For soft migration and first tries, you can run passwd/shadow and RSBAC
UM in parallel for a while, before you turn the first off: In
nsswitch.conf change “compat” to “compat rsbac”, in /etc/pam.d/* add "
sufficient pam_rsbac.so” before the pam_unix.so line."

And, as often, making the right question helps you find (some) answers,
I see that this  removal of:
...

> 29.2.3 Notes on the NSS Configuration File
> ------------------------------------------
> 
> Finally a few more hints. ...
> ...    The ‘passwd’, ‘group’, and ‘shadow’ databases are traditionally
> handled in a special way.  ... This kind of lookup remains possible if
> the GNU C
> Library was configured with the ‘--enable-obsolete-nsl’ option and the
> special lookup service ‘compat’ is used.  If the GNU C Library was
> configured with the ‘--enable-obsolete-nsl’ option the default value for
> the three databases above is ‘compat [NOTFOUND=return] files’.  If the
> ‘--enable-obsolete-nsl’ option was not used the default value for the
> services is ‘files’.

(that removal) is still in progress in the Linux world:
https://lwn.net/Articles/729761/
where it was news just over only one year ago (I'm running Debian
testing/unstable).

> I'm not even in the clear which package contains /etc/nsswitch.conf in
> the stock Debian install... And I have no experience compiling libc...

This is my package:
# apt-cache policy libc6
libc6:
  Installed: 2.27-8
  Candidate: 2.27-8

which is the current stable as per:
https://www.gnu.org/software/libc/

However:
# dpkg -L libc6 | grep nss
/lib/x86_64-linux-gnu/libnss_compat-2.27.so
/lib/x86_64-linux-gnu/libnss_dns-2.27.so
/lib/x86_64-linux-gnu/libnss_files-2.27.so
/lib/x86_64-linux-gnu/libnss_hesiod-2.27.so
/lib/x86_64-linux-gnu/libnss_nis-2.27.so
/lib/x86_64-linux-gnu/libnss_nisplus-2.27.so
/lib/x86_64-linux-gnu/libnss_compat.so.2
/lib/x86_64-linux-gnu/libnss_dns.so.2
/lib/x86_64-linux-gnu/libnss_files.so.2
/lib/x86_64-linux-gnu/libnss_hesiod.so.2
/lib/x86_64-linux-gnu/libnss_nis.so.2
/lib/x86_64-linux-gnu/libnss_nisplus.so.2

it does not hold the /etc/nsswitch.conf file, and I mean I'm not in the
clear:

> Is it necessary to recompile (and which package exactly of) libc with
> ‘--enable-obsolete-nsl’ to get the tip in the current rsbac-admin
> implementable?
(I'm not in the clear) which exact package installs /etc/nsswitch.conf
in Debian?

Any tips, and help, most welcome!

sincerely,
Palon Setin

More information about the rsbac mailing list