source: trunk/server/common/oursrc/nss_nonlocal/README @ 2498

Last change on this file since 2498 was 1825, checked in by andersk, 13 years ago
Update nss_nonlocal to 2.0 - Fix errno saving and restoring. - Document nss-nonlocal-users and nss-local-users groups in README. - Allow local whitelisting of nonlocal user and group memberships, using the magic local ‘nss-nonlocal-users’ user and group.
File size: 1.8 KB
Line 
1This is nss_nonlocal, an nsswitch module that acts as a proxy for other
2nsswitch modules like hesiod, but prevents non-local users from
3potentially gaining local privileges by spoofing local UIDs and GIDs.
4
5To use it, configure /etc/nsswitch.conf as follows:
6
7passwd:         compat nonlocal
8passwd_nonlocal: hesiod
9group:          compat nonlocal
10group_nonlocal: hesiod
11
12The module also assigns special properties to two local groups and one
13local user, if they exist:
14
15• If the local group ‘nss-nonlocal-users’ exists, then nonlocal users
16  will be automatically added to it.  Furthermore, if a local user is
17  added to this group, then that user will inherit any nonlocal gids
18  from a nonlocal user of the same name, as supplementary gids.
19
20• If the local group ‘nss-local-users’ exists, then local users will
21  be automatically added to it.
22
23• If the local user ‘nss-nonlocal-users’ is added to a local group,
24  then the local group will inherit the nonlocal membership of a group
25  of the same gid.
26
27Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
28<tabbott@mit.edu>
29
30nss_nonlocal is free software; you can redistribute it and/or modify
31it under the terms of the GNU Lesser General Public License as
32published by the Free Software Foundation; either version 2.1 of the
33License, or (at your option) any later version.
34
35nss_nonlocal is distributed in the hope that it will be useful, but
36WITHOUT ANY WARRANTY; without even the implied warranty of
37MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
38Lesser General Public License for more details.
39
40You should have received a copy of the GNU Lesser General Public
41License along with nss_nonlocal; if not, write to the Free Software
42Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
4302110-1301  USA
Note: See TracBrowser for help on using the repository browser.