mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-07-01 11:31:28 +00:00
users: Don't cache NSS user indentity information
nscd daemon caches queries made to NSS via glibc. In our case queries to passwd and group databases are cached. But this leads to many problems. See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520 The bug that this MR fixes, that is, the inaccuracy of the authentication data, is horrible and only acceptable if the caching provides very important functionality. Already, having to purge nscd caches after modifying user accounts is not nice. I believe that we have encountered this bug before and blamed libpam-abl due to the time sensitive nature of the problem. nscd itself recommends that it should be used if NSS lookup are expensive (such as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is likely always local. I believe we can safely remove nscd by masking and stopping nscd.service and unscd.service. Tests: - After applying the patches, users app setup is re-run. Service nscd is stopped and masked. unscd is also masked. - Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users) groups=100(users),10002(admin)'. - Adding, removing, renaming a user immediately reflects in 'id <user>'. - Adding and removing a user from groups immediately reflects in 'id <user>'. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This commit is contained in:
parent
1dabc220b4
commit
125a002fa3
2
debian/control
vendored
2
debian/control
vendored
@ -104,8 +104,6 @@ Depends:
|
||||
lsof,
|
||||
netcat-openbsd,
|
||||
network-manager,
|
||||
# Ensure that nscd is installed rather than unscd.
|
||||
nscd (>= 2),
|
||||
ppp,
|
||||
pppoe,
|
||||
python3-apt,
|
||||
|
||||
@ -47,7 +47,7 @@ class UsersApp(app_module.App):
|
||||
|
||||
app_id = 'users'
|
||||
|
||||
_version = 5
|
||||
_version = 6
|
||||
|
||||
can_be_disabled = False
|
||||
|
||||
@ -68,7 +68,7 @@ class UsersApp(app_module.App):
|
||||
|
||||
packages = Packages('packages-users', [
|
||||
'ldapscripts', 'ldap-utils', 'libnss-ldapd', 'libpam-ldapd',
|
||||
'nscd', 'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools'
|
||||
'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools'
|
||||
])
|
||||
self.add(packages)
|
||||
|
||||
|
||||
@ -1,4 +0,0 @@
|
||||
[Service]
|
||||
# Invalidate LDAP related caches.
|
||||
ExecStartPost=-nscd --invalidate=passwd
|
||||
ExecStartPost=-nscd --invalidate=group
|
||||
@ -81,7 +81,15 @@ def _configure_ldap_authentication():
|
||||
})
|
||||
action_utils.dpkg_reconfigure('libnss-ldapd',
|
||||
{'nsswitch': 'group, passwd, shadow'})
|
||||
action_utils.service_restart('nscd')
|
||||
|
||||
# NSS caching is not necessary in FreedomBox as lookup are done on a local
|
||||
# LDAP daemon. Caching can lead to unexpected behavior after user account
|
||||
# changes and after queries while nslcd is not running. See:
|
||||
# https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520
|
||||
action_utils.service_mask('nscd')
|
||||
action_utils.service_stop('nscd')
|
||||
action_utils.service_mask('unscd')
|
||||
action_utils.service_stop('unscd')
|
||||
|
||||
# XXX: Workaround for login issue
|
||||
action_utils.service_enable('slapd')
|
||||
@ -479,9 +487,7 @@ def set_user_status(username: str, status: str, auth_user: str,
|
||||
|
||||
|
||||
def _flush_cache():
|
||||
"""Flush nscd and apache2 cache."""
|
||||
_run(['nscd', '--invalidate=passwd'])
|
||||
_run(['nscd', '--invalidate=group'])
|
||||
"""Flush apache2 cache."""
|
||||
action_utils.service_reload('apache2')
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user