-
Notifications
You must be signed in to change notification settings - Fork 6
/
README
43 lines (33 loc) · 1.78 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
This is nss_nonlocal, an nsswitch module that acts as a proxy for other
nsswitch modules like hesiod, but prevents non-local users from
potentially gaining local privileges by spoofing local UIDs and GIDs.
To use it, configure /etc/nsswitch.conf as follows:
passwd: compat nonlocal
passwd_nonlocal: hesiod
group: compat nonlocal
group_nonlocal: hesiod
The module also assigns special properties to two local groups and one
local user, if they exist:
• If the local group ‘nss-nonlocal-users’ exists, then nonlocal users
will be automatically added to it. Furthermore, if a local user is
added to this group, then that user will inherit any nonlocal gids
from a nonlocal user of the same name, as supplementary gids.
• If the local group ‘nss-local-users’ exists, then local users will
be automatically added to it.
• If the local user ‘nss-nonlocal-users’ is added to a local group,
then the local group will inherit the nonlocal membership of a group
of the same gid.
Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
<tabbott@mit.edu>
nss_nonlocal is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.
nss_nonlocal is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with nss_nonlocal; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA