On 01/15/2016 02:12 PM, Nikola Forró wrote: >>From the current description of NSS compatibility mode it seems > that /etc/passwd is the only file where special entries are permitted. > But "compat" service can also be specified for group and shadow > databases, so this needs to be changed. > > The list of special entries is for passwd database only, group > and shadow databases are not mentioned. > Because group database does not support netgroup special entries and > it deals with groups, not users, it is better to make a separate list > of entries for it. > > It is true that the default source for the compat pseudo-databases > is "nis", but it can be overridden by any NSS service, not just > "nisplus". Even "compat" itself can be specified as the source for > the pseudo-databases, but doing that of course leads to infinite > recursion, so it makes sense to disallow that. > > The information was obtained from glibc source code, namely from > the following files: > nis/nss_compat/compat-pwd.c > nis/nss_compat/compat-grp.c > nis/nss_compat/compat-spwd.c Thanks, Nikola. Applied. Cheers, Michael > Signed-off-by: Nikola Forró <nforro@xxxxxxxxxx> > --- > man5/nsswitch.conf.5 | 40 ++++++++++++++++++++++++++++++++++------ > 1 file changed, 34 insertions(+), 6 deletions(-) > > diff --git a/man5/nsswitch.conf.5 b/man5/nsswitch.conf.5 > index 40ca9dc..f78bf85 100644 > --- a/man5/nsswitch.conf.5 > +++ b/man5/nsswitch.conf.5 > @@ -260,16 +260,22 @@ Call the next lookup function. > .RE > .SS Compatibility mode (compat) > The NSS "compat" service is similar to "files" except that it > -additionally permits special entries in > -.I /etc/passwd > +additionally permits special entries in corresponding files > for granting users or members of netgroups access to the system. > The following entries are valid in this mode: > .RS 4 > +.LP > +For > +.B passwd > +and > +.B shadow > +databases: > +.RS 4 > .TP 12 > .BI + user > Include the specified > .I user > -from the NIS passwd map. > +from the NIS passwd/shadow map. > .TP > .BI +@ netgroup > Include all users in the given > @@ -278,7 +284,7 @@ Include all users in the given > .BI \- user > Exclude the specified > .I user > -from the NIS passwd map. > +from the NIS passwd/shadow map. > .TP > .BI \-@ netgroup > Exclude all users in the given > @@ -286,11 +292,33 @@ Exclude all users in the given > .TP > .B + > Include every user, except previously excluded ones, from the > -NIS passwd map. > +NIS passwd/shadow map. > +.RE > +.LP > +For > +.B group > +database: > +.RS 4 > +.TP 12 > +.BI + group > +Include the specified > +.I group > +from the NIS group map. > +.TP > +.BI \- group > +Exclude the specified > +.I group > +from the NIS group map. > +.TP > +.B + > +Include every group, except previously excluded ones, from the > +NIS group map. > +.RE > .RE > .LP > By default, the source is "nis", but this may be > -overridden by specifying "nisplus" as the source for the pseudo-databases > +overridden by specifying any NSS service except "compat" itself > +as the source for the pseudo-databases > .BR passwd_compat , > .BR group_compat , > and > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
