[rsbac] nsswitch and pam configuration for UM
Palon Setin
palons at danwin1210.me
Thu Dec 13 04:30:00 CET 2018
Palon Setin:
> Hi!
> I have no issue compiling and installing. I'm running the latest
> 4.19.8-rsbac.
I meant, I have the necessary knowhow. I've, however noticed that the
latest rsbac patch, for kernel 4.19.8, apparently conflicts with xfs
filesystem config option. Unless I set CONFIG_XFS_FS=n, the kernel
wouldn't compiled. If this is not yet known to you, I can send details.
> But I can't find any help with configuring /etc/nsswitch.conf and
> /etc/pam.d/*.
Of course I first tried to follow:
https://www.rsbac.org/documentation/rsbac_handbook/configuration_basics/user_management
where this is my current goal:
"For soft migration and first tries, you can run passwd/shadow and RSBAC
UM in parallel for a while, before you turn the first off: In
nsswitch.conf change “compat” to “compat rsbac”, in /etc/pam.d/* add "
sufficient pam_rsbac.so” before the pam_unix.so line."
And, as often, making the right question helps you find (some) answers,
I see that this removal of:
...
> 29.2.3 Notes on the NSS Configuration File
> ------------------------------------------
>
> Finally a few more hints. ...
> ... The ‘passwd’, ‘group’, and ‘shadow’ databases are traditionally
> handled in a special way. ... This kind of lookup remains possible if
> the GNU C
> Library was configured with the ‘--enable-obsolete-nsl’ option and the
> special lookup service ‘compat’ is used. If the GNU C Library was
> configured with the ‘--enable-obsolete-nsl’ option the default value for
> the three databases above is ‘compat [NOTFOUND=return] files’. If the
> ‘--enable-obsolete-nsl’ option was not used the default value for the
> services is ‘files’.
(that removal) is still in progress in the Linux world:
https://lwn.net/Articles/729761/
where it was news just over only one year ago (I'm running Debian
testing/unstable).
> I'm not even in the clear which package contains /etc/nsswitch.conf in
> the stock Debian install... And I have no experience compiling libc...
This is my package:
# apt-cache policy libc6
libc6:
Installed: 2.27-8
Candidate: 2.27-8
which is the current stable as per:
https://www.gnu.org/software/libc/
However:
# dpkg -L libc6 | grep nss
/lib/x86_64-linux-gnu/libnss_compat-2.27.so
/lib/x86_64-linux-gnu/libnss_dns-2.27.so
/lib/x86_64-linux-gnu/libnss_files-2.27.so
/lib/x86_64-linux-gnu/libnss_hesiod-2.27.so
/lib/x86_64-linux-gnu/libnss_nis-2.27.so
/lib/x86_64-linux-gnu/libnss_nisplus-2.27.so
/lib/x86_64-linux-gnu/libnss_compat.so.2
/lib/x86_64-linux-gnu/libnss_dns.so.2
/lib/x86_64-linux-gnu/libnss_files.so.2
/lib/x86_64-linux-gnu/libnss_hesiod.so.2
/lib/x86_64-linux-gnu/libnss_nis.so.2
/lib/x86_64-linux-gnu/libnss_nisplus.so.2
it does not hold the /etc/nsswitch.conf file, and I mean I'm not in the
clear:
> Is it necessary to recompile (and which package exactly of) libc with
> ‘--enable-obsolete-nsl’ to get the tip in the current rsbac-admin
> implementable?
(I'm not in the clear) which exact package installs /etc/nsswitch.conf
in Debian?
Any tips, and help, most welcome!
sincerely,
Palon Setin
More information about the rsbac
mailing list