Bug 11257 - need finer control of group unioning in /etc/nsswitch.conf
Summary: need finer control of group unioning in /etc/nsswitch.conf
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.10
: P2 enhancement
Target Milestone: ---
Assignee: Ulrich Drepper
Depends on:
Reported: 2010-02-06 14:52 UTC by Mike Coleman
Modified: 2014-06-30 18:50 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Mike Coleman 2010-02-06 14:52:04 UTC
This is a feature request more than a bug.  It appears that /etc/nsswitch.conf
generally allows one to specify which sources of user information shadow others,
but this doesn't really work for group information.  That is, if I say "passwd:
files winbind", user 'foo' in files completely shadows any user 'foo' in
winbind, as far as passwd information goes.

But, if I say "group: files winbind", it appears that both files and winbind are
used to determine the set of secondary groups for a user.

What I would like is a way to say that if a user is found in the first source
(files) that *only* that source will be used for group information, and that
nothing will come from the later source (winbind in this example).
Comment 1 Ulrich Drepper 2011-05-10 04:43:18 UTC
By secondary groups I assume you mean the groups handled by initgroups and getgrouplist.

I agree that something better is warranted.  Some time ago I added already an initgroups entry to nsswitch.conf.  Now I also added code to not proceed to the next service in case of a successful lookup in case the initgroups entry is used.  If the nsswitch.conf file only contains an groups entry the behavior doesn't change.  The result is in git.