* NSS and buffer length
@ 2020-07-07 20:11 Ivan Stana
2020-07-07 20:54 ` Carlos O'Donell
2020-07-08 12:14 ` Florian Weimer
0 siblings, 2 replies; 4+ messages in thread
From: Ivan Stana @ 2020-07-07 20:11 UTC (permalink / raw)
To: libc-help
Hi,
The project I'm working on is https://github.com/istana/libnss-maria
which use MariaDB as a source of NSS data. I have an issue with the
buffer length.
NSS documentation says:
> @tab ERANGE @tab The provided buffer is not large enough. The
function should be called again with a larger buffer.
It works in all implemented NSS functions well except for one. I have a
group with many users (approximately 100) exceeding initial buffer size.
The buffer is increased in all cases except one.
Here the buffer size is increased:
> $ getent group management
>
> second buffer out of range, buflen: 1024
> copy_group_members_to_group buflen: 2048
>management:x:10000:user001,user002,user003,user004,user005,user006,user007,user008,user009,user010,
>user011,user012,user013,user014,user015,user016,user017,user018,user019,user020,user021,user022,user023,
>user024,user025,user026,user027,user028,user029,user030,user031,user032,user033,user034,user035,user036,
>user037,user038,user039,user040,user041,user042,user043,user044,user045,user046,user047,user048,user049,
>user050,user051,user052,user053,user054,user055,user056,user057,user058,user059,user060,user061,user062,
>user063,user064,user065,user066,user067,user068,user069,user070,user071,user072,user073,user074,user075,
>user076,user077,user078,user079,user080,user081,user082,user083,user084,user085,user086,user087,user088,
>user089,user090,user091,user092,user093,user094,user095,user096,user097,user098,user099,user100,user101,
>user102,user103,user104,user105,user106,user107,user108
But in the enumeration of groups - the group is not present in the
output and the buffer size was not increased:
> $ getent group
>
> second buffer out of range, buflen: 1024
...there are other groups present which have small numbers of users
I tried it on Debian stable and Fedora 31 with the same result, glibc
version:
> dnf list --installed | grep glibc
> glibc.x86_64 2.30-11.fc31 @koji-override-0
The question is what can I do to see the group with many users? Thank
you for your answers.
Best regards
Ivan Stana
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: NSS and buffer length
2020-07-07 20:11 NSS and buffer length Ivan Stana
@ 2020-07-07 20:54 ` Carlos O'Donell
2020-07-08 12:10 ` Ivan Stana
2020-07-08 12:14 ` Florian Weimer
1 sibling, 1 reply; 4+ messages in thread
From: Carlos O'Donell @ 2020-07-07 20:54 UTC (permalink / raw)
To: Ivan Stana, libc-help
On 7/7/20 4:11 PM, Ivan Stana wrote:
> But in the enumeration of groups - the group is not present in the
> output and the buffer size was not increased:
>
>> $ getent group
>>
>> second buffer out of range, buflen: 1024
If the NSS plugin returns NSS_STATUS_TRYAGAIN and ERANGE then
getent should double the buffer size and retry the NSS call.
> The question is what can I do to see the group with many users? Thank
> you for your answers.
It should work. Other plugins make this work successfully.
I would suggest debugging getent directly setting breakpoints at
__nss_getent() and __nss_getent_r() and inside your plugin and
debug the API calls to see why the caller (getent in this case)
doesn't increase the buffer size.
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: NSS and buffer length
2020-07-07 20:54 ` Carlos O'Donell
@ 2020-07-08 12:10 ` Ivan Stana
0 siblings, 0 replies; 4+ messages in thread
From: Ivan Stana @ 2020-07-08 12:10 UTC (permalink / raw)
To: Carlos O'Donell, libc-help
Thank you, I was able to debug the issue. getent indeed received
increased buffer, I should have rewind a database query when the buffer
was too small..
Best regards
Ivan Stana
On 07/07/2020 22:54, Carlos O'Donell wrote:
> On 7/7/20 4:11 PM, Ivan Stana wrote:
>> But in the enumeration of groups - the group is not present in the
>> output and the buffer size was not increased:
>>
>>> $ getent group
>>>
>>> second buffer out of range, buflen: 1024
> If the NSS plugin returns NSS_STATUS_TRYAGAIN and ERANGE then
> getent should double the buffer size and retry the NSS call.
>
>> The question is what can I do to see the group with many users? Thank
>> you for your answers.
> It should work. Other plugins make this work successfully.
>
> I would suggest debugging getent directly setting breakpoints at
> __nss_getent() and __nss_getent_r() and inside your plugin and
> debug the API calls to see why the caller (getent in this case)
> doesn't increase the buffer size.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: NSS and buffer length
2020-07-07 20:11 NSS and buffer length Ivan Stana
2020-07-07 20:54 ` Carlos O'Donell
@ 2020-07-08 12:14 ` Florian Weimer
1 sibling, 0 replies; 4+ messages in thread
From: Florian Weimer @ 2020-07-08 12:14 UTC (permalink / raw)
To: Ivan Stana; +Cc: libc-help
* Ivan Stana:
> The project I'm working on is https://github.com/istana/libnss-maria
> which use MariaDB as a source of NSS data. I have an issue with the
> buffer length.
Please note that you should move the MariaDB interface code into a
separate daemon, for security and reliability reasons. This is what
nss_ldapd does (the “d” is crucial). NSS modules get loaded into SUID
programs, and the MariaDB client libraries are not prepared for that.
Furthermore, there is no way to store securely authentication tokens
for the database connection, hiding it from local users.
Thanks,
Florian
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-08 12:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-07 20:11 NSS and buffer length Ivan Stana
2020-07-07 20:54 ` Carlos O'Donell
2020-07-08 12:10 ` Ivan Stana
2020-07-08 12:14 ` Florian Weimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).