On Sun, Jan 27, 2013 at 12:18:30PM +0000, Roger Leigh wrote:
> Hi Santiago,
>
> I've attached a patch for adding support for the "gshadow"
> (group shadow) NSS database to nsswitch.conf. Without this,
> the libc getsg* family of functions will not work, hence
> marking serious or else these functions will be broken for
> new installations; would also be nice if it was possible to
> add for upgrades as well? Do we have any mechanism for
> making NSS updates?
>
> Note that it's using the "files" service rather than "compat"
> here because "compat" does not support gshadow, but "files"
> does (can be tested by running "getent gshadow" as root).
Updated patch attached. This will upgrade nsswitch.conf in-place
on upgrade to add support for gshadow for existing installations,
while new installs will get the new nsswitch.conf by default.
Note that it's only run for upgrades from base-files << 7.2, so
will only be run once.
The sed script will insert the new entry after the shadow entry
if present, to make it identical to the default nsswitch.conf,
otherwise it will be inserted after the group entry which it
matches.
On #debian-devel, we discussed the security implications of
enabling this by default, but the consensus was that since this
is only readable by root, it's not an issue (restricting the
upgrade to only group:(compat|files) was considered, but thought
to not be worthwhile over enabling it for all cases).
Thanks,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
diff -urN base-files-7.1.original/debian/changelog base-files-7.2/debian/changelog
--- base-files-7.1.original/debian/changelog 2013-01-27 11:59:40.147903916 +0000
+++ base-files-7.2/debian/changelog 2013-01-27 13:55:10.111292346 +0000
@@ -1,3 +1,13 @@
+base-files (7.2) unstable; urgency=low
+
+ * Add an entry for the "gshadow" database to the nsswitch.conf;
+ also add this entry to existing nsswitch.conf files on upgrade.
+ This is needed for the glibc getsg* family of functions which
+ operate on the group shadow database to function correctly.
+ Closes: #699090.
+
+ -- Roger Leigh <rle...@debian.org> Sun, 27 Jan 2013 13:51:41 +0000
+
base-files (7.1) unstable; urgency=low
* Added Multi-Arch: foreign. This is needed even if base-files is
diff -urN base-files-7.1.original/debian/postinst.in base-files-7.2/debian/postinst.in
--- base-files-7.1.original/debian/postinst.in 2013-01-27 11:59:40.147903916 +0000
+++ base-files-7.2/debian/postinst.in 2013-01-27 14:01:37.541714235 +0000
@@ -122,3 +122,17 @@
install_from_default /usr/share/base-files/staff-group-for-usr-local \
/etc/staff-group-for-usr-local
fi
+
+# Add gshadow to nsswitch.conf on upgrade
+if dpkg --compare-versions "$2" lt-nl "7.2"; then
+ if ! grep -q '^[[:space:]]*gshadow:[[:space:]]' /etc/nsswitch.conf; then
+ match=group
+ if grep -q '^[[:space:]]*shadow[[:space:]]*:' /etc/nsswitch.conf; then
+ match=shadow
+ fi
+ sed -i -e "1,/^[[:space:]]*$match[[:space:]]*:.*\$/ {/^[[:space:]]*$match[[:space:]]*:.*\$/a\
+gshadow: files
+}" /etc/nsswitch.conf
+ echo Updating /etc/nsswitch.conf to add the gshadow database.
+ fi
+fi
diff -urN base-files-7.1.original/share/nsswitch.conf base-files-7.2/share/nsswitch.conf
--- base-files-7.1.original/share/nsswitch.conf 2013-01-27 11:59:40.147903916 +0000
+++ base-files-7.2/share/nsswitch.conf 2013-01-27 12:04:44.534176087 +0000
@@ -7,6 +7,7 @@
passwd: compat
group: compat
shadow: compat
+gshadow: files
hosts: files dns
networks: files
