💾 Archived View for ajdiaz.me › libnss_map captured on 2023-07-10 at 13:19:37. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-06-03)
-=-=-=-=-=-=-
The libnss_map module ===================== The libnss_map module is a NSS library to map user credentials to existent user in the system. This module is intended to be used in high virtualized environment like cloud computing or embedded systems which require a lot of users. When a new user has been authenticated by PAM or other authentication mechanism, then the nss_map module create a virtual user when credentials mapped to an existent user. For example, suppose here are a user virtual, created a la standard way on /etc/passwd: virtual:x:15000:15000:virtual user for nss_map:/dev/null:/sbin/nologin Then edit the /etc/nssmap.conf file: virtual:x:15000:15000:virtual user for nss_map:/home/virtual:/bin/bash Note that the user directory is really a base dir in nssmap, each new user can search their home in ``/home/virtual/logname'', where logname is the name used by user to login, and the /home/virtual is the prefix setted in nssmap.conf. What about mapped groups? nss_map support mapped roles as groups. It's useful to maintain a list of roles in your systems, like operators, sysadmins, dbas etc. The first try is to add the virtual user to a number of groups in the usual way, so all users extends this groups. On the other hand if you need a more granular group control you need to use a per user nss_map configuration. Obviously the groups must be exists on any nss switchable mechanism. The file ``~/.nssmaprc'' on home dir (i.e. the base dir plus the logname) of the user can contain a single mapping for groups. This file is a plaintext file owner by root:root with 400 permissions which contain a list of group names in the form of classic ``/etc/group'': wheel:x:10:usera Security considerations ----------------------- The security is not the main focus of nss_map, so bugs and exploits will be available soon, get are some easy-to-remember rules to keep your maps safety: 1. Don't use group maps if it's don't required. 2. If you need group maps then be sure that the ``~/.nssmaprc'' file has 0644 permissions are it's owner is root. 3. The LOGNAME environment variable is used by nss_map to get the currently user name to put on file listing or process list. Also the same variable is used by nss_map to map group, so check that the LOGNAME variable is readonly for user process. About compilation ----------------- If you need to enable debug support only put the following line on config.mk file at the top path of libnss_map source code: $ cat > config.mk <<EOF CFLAGS += -DDEBUG EOF Enjoy!
Latest stable releases:
Source releases/libnss_map-1.0.tar.gz
Signature releases/libnss_map-1.0.tar.gz.asc
The source code of the project is managed by git, you can clone it in the
usual way:
git clone https://git.ajdiaz.me/libnss_map
If you find any error in the code or incorrect behaviour, please do
not hesitate to report it in the devel mailing list:
libnss_map-devel@lists.ajdiaz.me
Please note that you need to subscribe to the list prior to post to avoid
spam, just send an empty email to
with the text `subscribe libnss_map-devel` in the subject.
Any suggestion, discussion or improvement are welcome, just mail to the
list!