|
Packit |
ac4610 |
nss_wrapper(1)
|
|
Packit |
ac4610 |
==============
|
|
Packit |
ac4610 |
:revdate: 2015-09-12
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
NAME
|
|
Packit |
ac4610 |
----
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
nss_wrapper - A wrapper for the user, group and hosts NSS API
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
SYNOPSIS
|
|
Packit |
ac4610 |
--------
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
LD_PRELOAD=libnss_wrapper.so NSS_WRAPPER_PASSWD=/path/to/passwd NSS_WRAPPER_GROUP=/path/to/group NSS_WRAPPER_HOSTS=/path/to/host *./myapplication*
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
DESCRIPTION
|
|
Packit |
ac4610 |
-----------
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
There are projects which provide daemons needing to be able to create, modify
|
|
Packit |
ac4610 |
and delete Unix users. Or just switch user ids to interact with the system e.g.
|
|
Packit |
ac4610 |
a user space file server. To be able to test that you need the privilege to
|
|
Packit |
ac4610 |
modify the passwd and groups file. With nss_wrapper it is possible to define
|
|
Packit |
ac4610 |
your own passwd and groups file which will be used by software to act correctly
|
|
Packit |
ac4610 |
while under test.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
If you have a client and server under test they normally use functions to
|
|
Packit |
ac4610 |
resolve network names to addresses (dns) or vice versa. The nss_wrappers allow
|
|
Packit |
ac4610 |
you to create a hosts file to setup name resolution for the addresses you use
|
|
Packit |
ac4610 |
with socket_wrapper.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
- Provides information for user and group accounts.
|
|
Packit |
ac4610 |
- Network name resolution using a hosts file.
|
|
Packit |
ac4610 |
- Loading and testing of NSS modules.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
LIMITATIONS
|
|
Packit |
ac4610 |
-----------
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
Some calls in nss_wrapper will only work if uid_wrapper is loaded and active.
|
|
Packit |
ac4610 |
One of this functions is initgroups() which needs to run setgroups() to set
|
|
Packit |
ac4610 |
the groups for the user. setgroups() is wrapped by uid_wrapper.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
ENVIRONMENT VARIABLES
|
|
Packit |
ac4610 |
---------------------
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
*NSS_WRAPPER_PASSWD*::
|
|
Packit |
ac4610 |
*NSS_WRAPPER_GROUP*::
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
For user and group accounts you need to create two files: 'passwd' and 'group'.
|
|
Packit |
ac4610 |
The format of the passwd file is described in 'man 5 passwd' and the group file
|
|
Packit |
ac4610 |
in 'man 5 group'. So you can fill these files with made up accounts. You point
|
|
Packit |
ac4610 |
nss_wrapper to them using the two variables
|
|
Packit |
ac4610 |
NSS_WRAPPER_PASSWD=/path/to/your/passwd and
|
|
Packit |
ac4610 |
NSS_WRAPPER_GROUP=/path/to/your/group.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
*NSS_WRAPPER_HOSTS*::
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
If you also need to emulate network name resolution in your enviornment,
|
|
Packit |
ac4610 |
especially with socket_wrapper, you can write a hosts file. The format is
|
|
Packit |
ac4610 |
described in 'man 5 hosts'. Then you can point nss_wrapper to your hosts
|
|
Packit |
ac4610 |
file using: NSS_WRAPPER_HOSTS=/path/to/your/hosts
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
*NSS_WRAPPER_HOSTNAME*::
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
If you need to return a hostname which is different from the one of your
|
|
Packit |
ac4610 |
machine is using you can use: NSS_WRAPPER_HOSTNAME=test.example.org
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
*NSS_WRAPPER_MODULE_SO_PATH*::
|
|
Packit |
ac4610 |
*NSS_WRAPPER_MODULE_FN_PREFIX*::
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
If you have a project which also provides user and group information out of a
|
|
Packit |
ac4610 |
database, you normally write your own nss modules. nss_wrapper is able to load
|
|
Packit |
ac4610 |
nss modules and ask them first before looking into the faked passwd and group
|
|
Packit |
ac4610 |
file. To point nss_wrapper to the module you can do that using
|
|
Packit |
ac4610 |
NSS_WRAPPER_MODULE_SO_PATH=/path/to/libnss_yourmodule.so. As each nss module
|
|
Packit |
ac4610 |
has a special prefix like _nss_winbind_getpwnam() you need to set the prefix
|
|
Packit |
ac4610 |
too so nss_wrapper can load the functions with
|
|
Packit |
ac4610 |
NSS_WRAPPER_MODULE_FN_PREFIX=<prefix>.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
For _nss_winbind_getpwnam() this would be:
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
NSS_WRAPPER_MODULE_FN_PREFIX=winbind
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
*NSS_WRAPPER_DEBUGLEVEL*::
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
If you need to see what is going on in nss_wrapper itself or try to find a
|
|
Packit |
ac4610 |
bug, you can enable logging support in nss_wrapper if you built it with
|
|
Packit |
ac4610 |
debug symbols.
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
- 0 = ERROR
|
|
Packit |
ac4610 |
- 1 = WARNING
|
|
Packit |
ac4610 |
- 2 = DEBUG
|
|
Packit |
ac4610 |
- 3 = TRACE
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
EXAMPLE
|
|
Packit |
ac4610 |
-------
|
|
Packit |
ac4610 |
|
|
Packit |
ac4610 |
$ echo "bob:x:1000:1000:bob gecos:/home/test/bob:/bin/false" > passwd
|
|
Packit |
ac4610 |
$ echo "root:x:65534:65532:root gecos:/home/test/root:/bin/false" >> passwd
|
|
Packit |
ac4610 |
$ echo "users:x:1000:" > group
|
|
Packit |
ac4610 |
$ echo "root:x:65532:" >> group
|
|
Packit |
ac4610 |
$ LD_PRELOAD=libnss_wrapper.so NSS_WRAPPER_PASSWD=passwd \
|
|
Packit |
ac4610 |
NSS_WRAPPER_GROUP=group getent passwd bob
|
|
Packit |
ac4610 |
bob:x:1000:1000:bob gecos:/home/test/bob:/bin/false
|
|
Packit |
ac4610 |
$ LD_PRELOAD=libnss_wrapper.so NSS_WRAPPER_HOSTNAME=test.example.org hostname
|
|
Packit |
ac4610 |
test.example.org
|