summary refs log tree commit diff
path: root/doc/index.html
blob: 6af20c4ee6f1c8fb4fdfd8d0bcf096caec17c712 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="Content-Language" content="en" />
    <title>nsss - a secure NSS-like implementation for small libcs</title>
    <meta name="Description" content="nsss - a secure NSS-like implementation for small libcs" />
    <meta name="Keywords" content="nsss NSS musl libc unix passwd grp shadow laurent bercot skarnet" />
    <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
  </head>
<body>

<p>
<a href="//skarnet.org/software/">Software</a><br />
<a href="//skarnet.org/">skarnet.org</a>
</p>

<h1> nsss </h1>

<h2> What is it&nbsp;? </h2>

<p>
 nsss is an implementation of a subset of the <tt>pwd.h</tt>,
<tt>group.h</tt> and <tt>shadow.h</tt> family of functions,
performing user database access on Unix systems.
</p>

<p>
 Usually, user database access via <tt>getpwnam()</tt> and similar
function is provided by the system's libc. However, not all libcs implement
a configurable backend for the user/group database. For instance the
<a href="https://musl-libc.org/">musl</a> libc, on Linux, only supports
the standard <tt>/etc/passwd</tt> mechanism; it also supports the
<tt>nscd</tt> protocol but this is not quite enough:
</p>

<ul>
 <li> musl only connects to nscd when it cannot find an answer in
its files backend </li>
 <li> The nscd protocol does not support enumeration, so primitives
such as <tt>getpwent()</tt> cannot be implemented over nscd. </li>
</ul>

<p>
 The mechanism used by glibc, called <tt>Name Service Switch</tt>
(abbreviated to <tt>nsswitch</tt> or <tt>NSS</tt>), has its own
<a href="nsswitch.html">set of issues</a> that makes it unsuitable
in certain situations.
</p>

<p>
 <tt>nsss</tt> is a secure implementation of a "name service switch":
configurable user/group/shadow database access, providing <tt>getpwnam()</tt>
et al. functionality by communicating over a Unix domain socket with a daemon;
the daemon can perform lookups in any database it chooses.
</p>

<p>
 <tt>nsss</tt> does not perform dynamic module
loading, only adds a small footprint to the application's binary,
and does not add any complex decision engine into the client's address
space. Applications can be statically linked against the <tt>nsss</tt>
library, and still benefit from configurable user database access
functions.
</p>

<hr />

<ul>
 <li> <a href="nsswitch.html">The problem with <tt>nsswitch</tt></a> </li>
 <li> <a href="overview.html">An overview of <tt>nsss</tt></a> </li>
</ul>

<hr />

<h2> Installation </h2>

<h3> Requirements </h3>

<ul>
 <li> A POSIX-compliant system with a standard C development environment </li>
 <li> GNU make, version 3.81 or later </li>
 <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version
2.11.0.0 or later. It's a build-time requirement. It's also a run-time
requirement if you link against the shared version of the skalibs
library. </li>
 <li> <a href="//skarnet.org/software/s6/">s6</a> version
2.11.0.0 or later. It's a <em>run-time</em> requirement only, to run
the nsssd service (and can be done without if you have a suitable replacement
for <a href="//skarnet.org/software/s6/s6-ipcserver">s6-ipcserver</a>). </li>
</ul>

<h3> Licensing </h3>

<p>
 nsss is free software. It is available under the
<a href="https://opensource.org/licenses/ISC">ISC license</a>.
</p>

<h3> Download </h3>

<ul>
 <li> The current released version of nsss is <a href="nsss-0.1.0.2.tar.gz">0.1.0.2</a>. </li>
 <li> Alternatively, you can checkout a copy of the
<a href="//git.skarnet.org/cgi-bin/cgit.cgi/nsss/">nsss
git repository</a>:
<pre> git clone git://git.skarnet.org/nsss </pre> </li>
 <li> There's also a
<a href="https://github.com/skarnet/nsss">GitHub mirror</a>
of the nsss git repository. </li>
</ul>

<h3> Compilation </h3>

<ul>
 <li> See the enclosed INSTALL file for installation details. </li>
</ul>

<h3> Upgrade notes </h3>

<ul>
 <li> <a href="upgrade.html">This page</a> lists the differences to be aware of between
the previous versions of nsss and the current one. </li>
</ul>

<hr />

<h2> Reference </h2>

<h3> Commands </h3>

<p>
 The following commands are not meant to be directly invoked on the
command-line. They are meant to be used behind a Unix domain socket
super-server such as
<a href="https://skarnet.org/software/s6/s6-ipcserver.html">s6-ipcserver</a>
in order to provide a
<a href="https://skarnet.org/software/s6/localservice.html">local service</a>.
Depending on the chosen command, the service will provide a different
backend to the name service.
</p>

<ul>
 <li> The <a href="nsssd-unix.html"><tt>nsssd-unix</tt></a> program </li>
 <li> The <a href="nsssd-nslcd.html"><tt>nsssd-nslcd</tt></a> program </li>
</ul>

<p>
 Future versions of nsss will come with more backends.
</p>

<h3> Libraries </h3>

<ul>
 <li> <a href="libnsss/">The <tt>nsss</tt> library interface</a>,
which applications use. A client application using one of the
following primitives will automatically perform libnsss calls:
  <ul>
   <li> endpwent() </li>
   <li> setpwent() </li>
   <li> getpwent() </li>
   <li> getpwent_r() </li>
   <li> getpwuid() </li>
   <li> getpwuid_r() </li>
   <li> getpwnam() </li>
   <li> getpwnam_r() </li>
   <li> endgrent() </li>
   <li> setgrent() </li>
   <li> getgrent() </li>
   <li> getgrent_r() </li>
   <li> getgrgid() </li>
   <li> getgrgid_r() </li>
   <li> getgrnam() </li>
   <li> getgrnam_r() </li>
   <li> getgrouplist() </li>
   <li> endspent() </li>
   <li> setspent() </li>
   <li> getspent() </li>
   <li> getspent_r() </li>
   <li> getspnam() </li>
   <li> getspnam_r() </li>
  </ul> </li>
 <li> <a href="libnsssd/">The <tt>nsssd</tt> library interface</a>,
which can be used to write additional backends. </li>
</ul>

<hr />

<a name="related">
<h2> Related resources </h2>
</a>

<h3> nsss discussion </h3>

<ul>
 <li> <tt>nsss</tt> is discussed on the
<a href="//skarnet.org/lists/#skaware">skaware</a> mailing-list. </li>
</ul>

</body>
</html>