users: Don't cache NSS user indentity information

nscd daemon caches queries made to NSS via glibc. In our case queries to passwd
and group databases are cached. But this leads to many problems.

See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520

The bug that this MR fixes, that is, the inaccuracy of the authentication data,
is horrible and only acceptable if the caching provides very important
functionality. Already, having to purge nscd caches after modifying user
accounts is not nice.

I believe that we have encountered this bug before and blamed libpam-abl due to
the time sensitive nature of the problem.

nscd itself recommends that it should be used if NSS lookup are expensive (such
as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of
FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is
likely always local. I believe we can safely remove nscd by masking and stopping
nscd.service and unscd.service.

Tests:

- After applying the patches, users app setup is re-run. Service nscd is stopped
and masked. unscd is also masked.

- Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users)
groups=100(users),10002(admin)'.

- Adding, removing, renaming a user immediately reflects in 'id <user>'.

- Adding and removing a user from groups immediately reflects in 'id <user>'.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This commit is contained in:
Sunil Mohan Adapa 2024-09-19 20:15:34 -07:00 committed by Veiko Aasa
parent 1dabc220b4
commit 125a002fa3
No known key found for this signature in database
GPG Key ID: 478539CAE680674E
4 changed files with 12 additions and 12 deletions

2
debian/control vendored
View File

@ -104,8 +104,6 @@ Depends:
lsof,
netcat-openbsd,
network-manager,
# Ensure that nscd is installed rather than unscd.
nscd (>= 2),
ppp,
pppoe,
python3-apt,

View File

@ -47,7 +47,7 @@ class UsersApp(app_module.App):
app_id = 'users'
_version = 5
_version = 6
can_be_disabled = False
@ -68,7 +68,7 @@ class UsersApp(app_module.App):
packages = Packages('packages-users', [
'ldapscripts', 'ldap-utils', 'libnss-ldapd', 'libpam-ldapd',
'nscd', 'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools'
'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools'
])
self.add(packages)

View File

@ -1,4 +0,0 @@
[Service]
# Invalidate LDAP related caches.
ExecStartPost=-nscd --invalidate=passwd
ExecStartPost=-nscd --invalidate=group

View File

@ -81,7 +81,15 @@ def _configure_ldap_authentication():
})
action_utils.dpkg_reconfigure('libnss-ldapd',
{'nsswitch': 'group, passwd, shadow'})
action_utils.service_restart('nscd')
# NSS caching is not necessary in FreedomBox as lookup are done on a local
# LDAP daemon. Caching can lead to unexpected behavior after user account
# changes and after queries while nslcd is not running. See:
# https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520
action_utils.service_mask('nscd')
action_utils.service_stop('nscd')
action_utils.service_mask('unscd')
action_utils.service_stop('unscd')
# XXX: Workaround for login issue
action_utils.service_enable('slapd')
@ -479,9 +487,7 @@ def set_user_status(username: str, status: str, auth_user: str,
def _flush_cache():
"""Flush nscd and apache2 cache."""
_run(['nscd', '--invalidate=passwd'])
_run(['nscd', '--invalidate=group'])
"""Flush apache2 cache."""
action_utils.service_reload('apache2')