From 125a002fa365b8d5eba1f102caf735e024852c58 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Thu, 19 Sep 2024 20:15:34 -0700 Subject: [PATCH] users: Don't cache NSS user indentity information nscd daemon caches queries made to NSS via glibc. In our case queries to passwd and group databases are cached. But this leads to many problems. See: https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520 The bug that this MR fixes, that is, the inaccuracy of the authentication data, is horrible and only acceptable if the caching provides very important functionality. Already, having to purge nscd caches after modifying user accounts is not nice. I believe that we have encountered this bug before and blamed libpam-abl due to the time sensitive nature of the problem. nscd itself recommends that it should be used if NSS lookup are expensive (such as in case of NIS, NIS+ queries according to /etc/init.d/nscd). In case of FreedomBox, LDAP queries are unlikely to be made using network. LDAP server is likely always local. I believe we can safely remove nscd by masking and stopping nscd.service and unscd.service. Tests: - After applying the patches, users app setup is re-run. Service nscd is stopped and masked. unscd is also masked. - Running 'id tester' shows expected value 'uid=10001(tester) gid=100(users) groups=100(users),10002(admin)'. - Adding, removing, renaming a user immediately reflects in 'id '. - Adding and removing a user from groups immediately reflects in 'id '. Signed-off-by: Sunil Mohan Adapa Reviewed-by: Veiko Aasa --- debian/control | 2 -- plinth/modules/users/__init__.py | 4 ++-- .../systemd/system/nslcd.service.d/freedombox.conf | 4 ---- plinth/modules/users/privileged.py | 14 ++++++++++---- 4 files changed, 12 insertions(+), 12 deletions(-) delete mode 100644 plinth/modules/users/data/usr/lib/systemd/system/nslcd.service.d/freedombox.conf diff --git a/debian/control b/debian/control index 974c2ff64..072b6ee71 100644 --- a/debian/control +++ b/debian/control @@ -104,8 +104,6 @@ Depends: lsof, netcat-openbsd, network-manager, -# Ensure that nscd is installed rather than unscd. - nscd (>= 2), ppp, pppoe, python3-apt, diff --git a/plinth/modules/users/__init__.py b/plinth/modules/users/__init__.py index 021dffa5e..69ab1e998 100644 --- a/plinth/modules/users/__init__.py +++ b/plinth/modules/users/__init__.py @@ -47,7 +47,7 @@ class UsersApp(app_module.App): app_id = 'users' - _version = 5 + _version = 6 can_be_disabled = False @@ -68,7 +68,7 @@ class UsersApp(app_module.App): packages = Packages('packages-users', [ 'ldapscripts', 'ldap-utils', 'libnss-ldapd', 'libpam-ldapd', - 'nscd', 'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools' + 'nslcd', 'samba-common-bin', 'slapd', 'tdb-tools' ]) self.add(packages) diff --git a/plinth/modules/users/data/usr/lib/systemd/system/nslcd.service.d/freedombox.conf b/plinth/modules/users/data/usr/lib/systemd/system/nslcd.service.d/freedombox.conf deleted file mode 100644 index f94d2c2f4..000000000 --- a/plinth/modules/users/data/usr/lib/systemd/system/nslcd.service.d/freedombox.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -# Invalidate LDAP related caches. -ExecStartPost=-nscd --invalidate=passwd -ExecStartPost=-nscd --invalidate=group diff --git a/plinth/modules/users/privileged.py b/plinth/modules/users/privileged.py index fde86ab5f..c0966fe3e 100644 --- a/plinth/modules/users/privileged.py +++ b/plinth/modules/users/privileged.py @@ -81,7 +81,15 @@ def _configure_ldap_authentication(): }) action_utils.dpkg_reconfigure('libnss-ldapd', {'nsswitch': 'group, passwd, shadow'}) - action_utils.service_restart('nscd') + + # NSS caching is not necessary in FreedomBox as lookup are done on a local + # LDAP daemon. Caching can lead to unexpected behavior after user account + # changes and after queries while nslcd is not running. See: + # https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2520 + action_utils.service_mask('nscd') + action_utils.service_stop('nscd') + action_utils.service_mask('unscd') + action_utils.service_stop('unscd') # XXX: Workaround for login issue action_utils.service_enable('slapd') @@ -479,9 +487,7 @@ def set_user_status(username: str, status: str, auth_user: str, def _flush_cache(): - """Flush nscd and apache2 cache.""" - _run(['nscd', '--invalidate=passwd']) - _run(['nscd', '--invalidate=group']) + """Flush apache2 cache.""" action_utils.service_reload('apache2')