This is nss_nonlocal, an nsswitch module that acts as a proxy for other nsswitch modules like hesiod, but prevents non-local users from potentially gaining local privileges by spoofing local UIDs and GIDs. To use it, configure /etc/nsswitch.conf as follows: passwd: compat nonlocal passwd_nonlocal: hesiod group: compat nonlocal group_nonlocal: hesiod The module also assigns special properties to two local groups and one local user, if they exist: • If the local group ‘nss-nonlocal-users’ exists, then nonlocal users will be automatically added to it. Furthermore, if a local user is added to this group, then that user will inherit any nonlocal gids from a nonlocal user of the same name, as supplementary gids. • If the local group ‘nss-local-users’ exists, then local users will be automatically added to it. • If the local user ‘nss-nonlocal-users’ is added to a local group, then the local group will inherit the nonlocal membership of a group of the same gid. Copyright © 2007–2010 Anders Kaseorg and Tim Abbott nss_nonlocal is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. nss_nonlocal is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with nss_nonlocal; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA