Index: head/lib/libc/net/nsdispatch.c =================================================================== --- head/lib/libc/net/nsdispatch.c (revision 340338) +++ head/lib/libc/net/nsdispatch.c (revision 340339) @@ -1,772 +1,783 @@ /* $NetBSD: nsdispatch.c,v 1.9 1999/01/25 00:16:17 lukem Exp $ */ /*- * SPDX-License-Identifier: BSD-2-Clause-NetBSD * * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc. * All rights reserved. * * This code is derived from software contributed to The NetBSD Foundation * by Luke Mewburn. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ /*- * Copyright (c) 2003 Networks Associates Technology, Inc. * All rights reserved. * * Portions of this software were developed for the FreeBSD Project by * Jacques A. Vidrine, Safeport Network Services, and Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ #include __FBSDID("$FreeBSD$"); #include "namespace.h" #include #include #include #include #include #define _NS_PRIVATE #include #include #include #include #include #include #include #include #include "un-namespace.h" #include "nss_tls.h" #include "libc_private.h" #ifdef NS_CACHING #include "nscache.h" #endif enum _nss_constants { /* Number of elements allocated when we grow a vector */ ELEMSPERCHUNK = 8 }; /* * Global NSS data structures are mostly read-only, but we update * them when we read or re-read the nsswitch.conf. */ static pthread_rwlock_t nss_lock = PTHREAD_RWLOCK_INITIALIZER; /* * Runtime determination of whether we are dynamically linked or not. */ extern int _DYNAMIC __attribute__ ((weak)); #define is_dynamic() (&_DYNAMIC != NULL) /* * default sourcelist: `files' */ const ns_src __nsdefaultsrc[] = { { NSSRC_FILES, NS_SUCCESS }, { 0 }, }; /* Database, source mappings. */ static unsigned int _nsmapsize; static ns_dbt *_nsmap = NULL; /* NSS modules. */ static unsigned int _nsmodsize; static ns_mod *_nsmod; /* Placeholder for builtin modules' dlopen `handle'. */ static int __nss_builtin_handle; static void *nss_builtin_handle = &__nss_builtin_handle; #ifdef NS_CACHING /* * Cache lookup cycle prevention function - if !NULL then no cache lookups * will be made */ static void *nss_cache_cycle_prevention_func = NULL; #endif /* * We keep track of nsdispatch() nesting depth in dispatch_depth. When a * fallback method is invoked from nsdispatch(), we temporarily set * fallback_depth to the current dispatch depth plus one. Subsequent * calls at that exact depth will run in fallback mode (restricted to the * same source as the call that was handled by the fallback method), while * calls below that depth will be handled normally, allowing fallback * methods to perform arbitrary lookups. */ struct fb_state { int dispatch_depth; int fallback_depth; }; static void fb_endstate(void *); NSS_TLS_HANDLING(fb); /* * Attempt to spew relatively uniform messages to syslog. */ #define nss_log(level, fmt, ...) \ syslog((level), "NSSWITCH(%s): " fmt, __func__, __VA_ARGS__) #define nss_log_simple(level, s) \ syslog((level), "NSSWITCH(%s): " s, __func__) /* * Dynamically growable arrays are used for lists of databases, sources, * and modules. The following `vector' interface is used to isolate the * common operations. */ typedef int (*vector_comparison)(const void *, const void *); typedef void (*vector_free_elem)(void *); static void vector_sort(void *, unsigned int, size_t, vector_comparison); static void vector_free(void *, unsigned int *, size_t, vector_free_elem); static void *vector_ref(unsigned int, void *, unsigned int, size_t); static void *vector_search(const void *, void *, unsigned int, size_t, vector_comparison); static void *vector_append(const void *, void *, unsigned int *, size_t); /* * Internal interfaces. */ static int string_compare(const void *, const void *); static int mtab_compare(const void *, const void *); static int nss_configure(void); static void ns_dbt_free(ns_dbt *); static void ns_mod_free(ns_mod *); static void ns_src_free(ns_src **, int); static void nss_load_builtin_modules(void); static void nss_load_module(const char *, nss_module_register_fn); static void nss_atexit(void); /* nsparser */ extern FILE *_nsyyin; /* * The vector operations */ static void vector_sort(void *vec, unsigned int count, size_t esize, vector_comparison comparison) { qsort(vec, count, esize, comparison); } static void * vector_search(const void *key, void *vec, unsigned int count, size_t esize, vector_comparison comparison) { return (bsearch(key, vec, count, esize, comparison)); } static void * vector_append(const void *elem, void *vec, unsigned int *count, size_t esize) { void *p; if ((*count % ELEMSPERCHUNK) == 0) { p = reallocarray(vec, *count + ELEMSPERCHUNK, esize); if (p == NULL) { nss_log_simple(LOG_ERR, "memory allocation failure"); return (vec); } vec = p; } memmove((void *)(((uintptr_t)vec) + (*count * esize)), elem, esize); (*count)++; return (vec); } static void * vector_ref(unsigned int i, void *vec, unsigned int count, size_t esize) { if (i < count) return (void *)((uintptr_t)vec + (i * esize)); else return (NULL); } #define VECTOR_FREE(v, c, s, f) \ do { vector_free(v, c, s, f); v = NULL; } while (0) static void vector_free(void *vec, unsigned int *count, size_t esize, vector_free_elem free_elem) { unsigned int i; void *elem; for (i = 0; i < *count; i++) { elem = vector_ref(i, vec, *count, esize); if (elem != NULL) free_elem(elem); } free(vec); *count = 0; } /* * Comparison functions for vector_search. */ static int string_compare(const void *a, const void *b) { return (strcasecmp(*(const char * const *)a, *(const char * const *)b)); } static int mtab_compare(const void *a, const void *b) { int cmp; cmp = strcmp(((const ns_mtab *)a)->name, ((const ns_mtab *)b)->name); if (cmp != 0) return (cmp); else return (strcmp(((const ns_mtab *)a)->database, ((const ns_mtab *)b)->database)); } /* * NSS nsmap management. */ void _nsdbtaddsrc(ns_dbt *dbt, const ns_src *src) { const ns_mod *modp; dbt->srclist = vector_append(src, dbt->srclist, &dbt->srclistsize, sizeof(*src)); modp = vector_search(&src->name, _nsmod, _nsmodsize, sizeof(*_nsmod), string_compare); if (modp == NULL) nss_load_module(src->name, NULL); } #ifdef _NSS_DEBUG void _nsdbtdump(const ns_dbt *dbt) { int i; printf("%s (%d source%s):", dbt->name, dbt->srclistsize, dbt->srclistsize == 1 ? "" : "s"); for (i = 0; i < (int)dbt->srclistsize; i++) { printf(" %s", dbt->srclist[i].name); if (!(dbt->srclist[i].flags & (NS_UNAVAIL|NS_NOTFOUND|NS_TRYAGAIN)) && (dbt->srclist[i].flags & NS_SUCCESS)) continue; printf(" ["); if (!(dbt->srclist[i].flags & NS_SUCCESS)) printf(" SUCCESS=continue"); if (dbt->srclist[i].flags & NS_UNAVAIL) printf(" UNAVAIL=return"); if (dbt->srclist[i].flags & NS_NOTFOUND) printf(" NOTFOUND=return"); if (dbt->srclist[i].flags & NS_TRYAGAIN) printf(" TRYAGAIN=return"); printf(" ]"); } printf("\n"); } #endif /* * The first time nsdispatch is called (during a process's lifetime, * or after nsswitch.conf has been updated), nss_configure will * prepare global data needed by NSS. */ static int nss_configure(void) { static time_t confmod; + static int already_initialized = 0; struct stat statbuf; int result, isthreaded; const char *path; #ifdef NS_CACHING void *handle; #endif result = 0; isthreaded = __isthreaded; #if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT) /* NOTE WELL: THIS IS A SECURITY HOLE. This must only be built * for debugging purposes and MUST NEVER be used in production. */ path = getenv("NSSWITCH_CONF"); if (path == NULL) #endif path = _PATH_NS_CONF; +#ifndef NS_REREAD_CONF + /* + * Define NS_REREAD_CONF to have nsswitch notice changes + * to nsswitch.conf(5) during runtime. This involves calling + * stat(2) every time, which can result in performance hit. + */ + if (already_initialized) + return (0); + already_initialized = 1; +#endif /* NS_REREAD_CONF */ if (stat(path, &statbuf) != 0) return (0); if (statbuf.st_mtime <= confmod) return (0); if (isthreaded) { (void)_pthread_rwlock_unlock(&nss_lock); result = _pthread_rwlock_wrlock(&nss_lock); if (result != 0) return (result); if (stat(path, &statbuf) != 0) goto fin; if (statbuf.st_mtime <= confmod) goto fin; } _nsyyin = fopen(path, "re"); if (_nsyyin == NULL) goto fin; VECTOR_FREE(_nsmap, &_nsmapsize, sizeof(*_nsmap), (vector_free_elem)ns_dbt_free); VECTOR_FREE(_nsmod, &_nsmodsize, sizeof(*_nsmod), (vector_free_elem)ns_mod_free); if (confmod == 0) (void)atexit(nss_atexit); nss_load_builtin_modules(); _nsyyparse(); (void)fclose(_nsyyin); vector_sort(_nsmap, _nsmapsize, sizeof(*_nsmap), string_compare); confmod = statbuf.st_mtime; #ifdef NS_CACHING handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); if (handle != NULL) { nss_cache_cycle_prevention_func = dlsym(handle, "_nss_cache_cycle_prevention_function"); dlclose(handle); } #endif fin: if (isthreaded) { (void)_pthread_rwlock_unlock(&nss_lock); if (result == 0) result = _pthread_rwlock_rdlock(&nss_lock); } return (result); } void _nsdbtput(const ns_dbt *dbt) { unsigned int i; ns_dbt *p; for (i = 0; i < _nsmapsize; i++) { p = vector_ref(i, _nsmap, _nsmapsize, sizeof(*_nsmap)); if (string_compare(&dbt->name, &p->name) == 0) { /* overwrite existing entry */ if (p->srclist != NULL) ns_src_free(&p->srclist, p->srclistsize); memmove(p, dbt, sizeof(*dbt)); return; } } _nsmap = vector_append(dbt, _nsmap, &_nsmapsize, sizeof(*_nsmap)); } static void ns_dbt_free(ns_dbt *dbt) { ns_src_free(&dbt->srclist, dbt->srclistsize); if (dbt->name) free((void *)dbt->name); } static void ns_src_free(ns_src **src, int srclistsize) { int i; for (i = 0; i < srclistsize; i++) if ((*src)[i].name != NULL) /* This one was allocated by nslexer. You'll just * have to trust me. */ free((void *)((*src)[i].name)); free(*src); *src = NULL; } /* * NSS module management. */ /* The built-in NSS modules are all loaded at once. */ #define NSS_BACKEND(name, reg) \ ns_mtab *reg(unsigned int *, nss_module_unregister_fn *); #include "nss_backends.h" #undef NSS_BACKEND static void nss_load_builtin_modules(void) { #define NSS_BACKEND(name, reg) nss_load_module(#name, reg); #include "nss_backends.h" #undef NSS_BACKEND } /* Load a built-in or dynamically linked module. If the `reg_fn' * argument is non-NULL, assume a built-in module and use reg_fn to * register it. Otherwise, search for a dynamic NSS module. */ static void nss_load_module(const char *source, nss_module_register_fn reg_fn) { char buf[PATH_MAX]; ns_mod mod; nss_module_register_fn fn; memset(&mod, 0, sizeof(mod)); mod.name = strdup(source); if (mod.name == NULL) { nss_log_simple(LOG_ERR, "memory allocation failure"); return; } if (reg_fn != NULL) { /* The placeholder is required, as a NULL handle * represents an invalid module. */ mod.handle = nss_builtin_handle; fn = reg_fn; } else if (!is_dynamic()) { goto fin; } else if (strcmp(source, NSSRC_CACHE) == 0 || strcmp(source, NSSRC_COMPAT) == 0 || strcmp(source, NSSRC_DB) == 0 || strcmp(source, NSSRC_DNS) == 0 || strcmp(source, NSSRC_FILES) == 0 || strcmp(source, NSSRC_NIS) == 0) { /* * Avoid calling dlopen(3) for built-in modules. */ goto fin; } else { if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name, NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf)) goto fin; mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY); if (mod.handle == NULL) { #ifdef _NSS_DEBUG /* This gets pretty annoying since the built-in * sources aren't modules yet. */ nss_log(LOG_DEBUG, "%s, %s", mod.name, dlerror()); #endif goto fin; } fn = (nss_module_register_fn)dlfunc(mod.handle, "nss_module_register"); if (fn == NULL) { (void)dlclose(mod.handle); mod.handle = NULL; nss_log(LOG_ERR, "%s, %s", mod.name, dlerror()); goto fin; } } mod.mtab = fn(mod.name, &mod.mtabsize, &mod.unregister); if (mod.mtab == NULL || mod.mtabsize == 0) { if (mod.handle != nss_builtin_handle) (void)dlclose(mod.handle); mod.handle = NULL; nss_log(LOG_ERR, "%s, registration failed", mod.name); goto fin; } if (mod.mtabsize > 1) qsort(mod.mtab, mod.mtabsize, sizeof(mod.mtab[0]), mtab_compare); fin: _nsmod = vector_append(&mod, _nsmod, &_nsmodsize, sizeof(*_nsmod)); vector_sort(_nsmod, _nsmodsize, sizeof(*_nsmod), string_compare); } static int exiting = 0; static void ns_mod_free(ns_mod *mod) { free(mod->name); if (mod->handle == NULL) return; if (mod->unregister != NULL) mod->unregister(mod->mtab, mod->mtabsize); if (mod->handle != nss_builtin_handle && !exiting) (void)dlclose(mod->handle); } /* * Cleanup */ static void nss_atexit(void) { int isthreaded; exiting = 1; isthreaded = __isthreaded; if (isthreaded) (void)_pthread_rwlock_wrlock(&nss_lock); VECTOR_FREE(_nsmap, &_nsmapsize, sizeof(*_nsmap), (vector_free_elem)ns_dbt_free); VECTOR_FREE(_nsmod, &_nsmodsize, sizeof(*_nsmod), (vector_free_elem)ns_mod_free); if (isthreaded) (void)_pthread_rwlock_unlock(&nss_lock); } /* * Finally, the actual implementation. */ static nss_method nss_method_lookup(const char *source, const char *database, const char *method, const ns_dtab disp_tab[], void **mdata) { ns_mod *mod; ns_mtab *match, key; int i; if (disp_tab != NULL) for (i = 0; disp_tab[i].src != NULL; i++) if (strcasecmp(source, disp_tab[i].src) == 0) { *mdata = disp_tab[i].mdata; return (disp_tab[i].method); } mod = vector_search(&source, _nsmod, _nsmodsize, sizeof(*_nsmod), string_compare); if (mod != NULL && mod->handle != NULL) { key.database = database; key.name = method; match = bsearch(&key, mod->mtab, mod->mtabsize, sizeof(mod->mtab[0]), mtab_compare); if (match != NULL) { *mdata = match->mdata; return (match->method); } } *mdata = NULL; return (NULL); } static void fb_endstate(void *p) { free(p); } __weak_reference(_nsdispatch, nsdispatch); int _nsdispatch(void *retval, const ns_dtab disp_tab[], const char *database, const char *method_name, const ns_src defaults[], ...) { va_list ap; const ns_dbt *dbt; const ns_src *srclist; nss_method method, fb_method; void *mdata; int isthreaded, serrno, i, result, srclistsize; struct fb_state *st; int saved_depth; #ifdef NS_CACHING nss_cache_data cache_data; nss_cache_data *cache_data_p; int cache_flag; #endif dbt = NULL; fb_method = NULL; isthreaded = __isthreaded; serrno = errno; if (isthreaded) { result = _pthread_rwlock_rdlock(&nss_lock); if (result != 0) { result = NS_UNAVAIL; goto fin; } } result = fb_getstate(&st); if (result != 0) { result = NS_UNAVAIL; goto fin; } result = nss_configure(); if (result != 0) { result = NS_UNAVAIL; goto fin; } ++st->dispatch_depth; if (st->dispatch_depth > st->fallback_depth) { dbt = vector_search(&database, _nsmap, _nsmapsize, sizeof(*_nsmap), string_compare); fb_method = nss_method_lookup(NSSRC_FALLBACK, database, method_name, disp_tab, &mdata); } if (dbt != NULL) { srclist = dbt->srclist; srclistsize = dbt->srclistsize; } else { srclist = defaults; srclistsize = 0; while (srclist[srclistsize].name != NULL) srclistsize++; } #ifdef NS_CACHING cache_data_p = NULL; cache_flag = 0; #endif for (i = 0; i < srclistsize; i++) { result = NS_NOTFOUND; method = nss_method_lookup(srclist[i].name, database, method_name, disp_tab, &mdata); if (method != NULL) { #ifdef NS_CACHING if (strcmp(srclist[i].name, NSSRC_CACHE) == 0 && nss_cache_cycle_prevention_func == NULL) { #ifdef NS_STRICT_LIBC_EID_CHECKING if (issetugid() != 0) continue; #endif cache_flag = 1; memset(&cache_data, 0, sizeof(nss_cache_data)); cache_data.info = (nss_cache_info const *)mdata; cache_data_p = &cache_data; va_start(ap, defaults); if (cache_data.info->id_func != NULL) result = __nss_common_cache_read(retval, cache_data_p, ap); else if (cache_data.info->marshal_func != NULL) result = __nss_mp_cache_read(retval, cache_data_p, ap); else result = __nss_mp_cache_end(retval, cache_data_p, ap); va_end(ap); } else { cache_flag = 0; errno = 0; va_start(ap, defaults); result = method(retval, mdata, ap); va_end(ap); } #else /* NS_CACHING */ errno = 0; va_start(ap, defaults); result = method(retval, mdata, ap); va_end(ap); #endif /* NS_CACHING */ if (result & (srclist[i].flags)) break; } else { if (fb_method != NULL) { saved_depth = st->fallback_depth; st->fallback_depth = st->dispatch_depth + 1; va_start(ap, defaults); result = fb_method(retval, (void *)srclist[i].name, ap); va_end(ap); st->fallback_depth = saved_depth; } else nss_log(LOG_DEBUG, "%s, %s, %s, not found, " "and no fallback provided", srclist[i].name, database, method_name); } } #ifdef NS_CACHING if (cache_data_p != NULL && (result & (NS_NOTFOUND | NS_SUCCESS)) && cache_flag == 0) { va_start(ap, defaults); if (result == NS_SUCCESS) { if (cache_data.info->id_func != NULL) __nss_common_cache_write(retval, cache_data_p, ap); else if (cache_data.info->marshal_func != NULL) __nss_mp_cache_write(retval, cache_data_p, ap); } else if (result == NS_NOTFOUND) { if (cache_data.info->id_func == NULL) { if (cache_data.info->marshal_func != NULL) __nss_mp_cache_write_submit(retval, cache_data_p, ap); } else __nss_common_cache_write_negative(cache_data_p); } va_end(ap); } #endif /* NS_CACHING */ if (isthreaded) (void)_pthread_rwlock_unlock(&nss_lock); --st->dispatch_depth; fin: errno = serrno; return (result); } Index: head/share/man/man5/nsswitch.conf.5 =================================================================== --- head/share/man/man5/nsswitch.conf.5 (revision 340338) +++ head/share/man/man5/nsswitch.conf.5 (revision 340339) @@ -1,386 +1,392 @@ .\" $NetBSD: nsswitch.conf.5,v 1.14 1999/03/17 20:19:47 garbled Exp $ .\" .\" Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Luke Mewburn. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by Luke Mewburn. .\" 4. The name of the author may not be used to endorse or promote products .\" derived from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS .\" OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR .\" TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE .\" USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $FreeBSD$ .\" -.Dd June 6, 2016 +.Dd November 10, 2018 .Dt NSSWITCH.CONF 5 .Os .Sh NAME .Nm nsswitch.conf .Nd name-service switch configuration file .Sh DESCRIPTION The .Nm file specifies how the .Xr nsdispatch 3 (name-service switch dispatcher) routines in the C library should operate. .Pp The configuration file controls how a process looks up various databases containing information regarding hosts, users (passwords), groups, etc. Each database comes from a source (such as local files, DNS, .Tn NIS , and cache), and the order to look up the sources is specified in .Nm . .Pp Each entry in .Nm consists of a database name, and a space separated list of sources. Each source can have an optional trailing criterion that determines whether the next listed source is used, or the search terminates at the current source. Each criterion consists of one or more status codes, and actions to take if that status code occurs. .Ss Sources The following sources are implemented: .Pp .Bl -tag -width Source -compact .It Sy Source .Sy Description .It files Local files, such as .Pa /etc/hosts , and .Pa /etc/passwd . .It db Local database. .It dns Internet Domain Name System. .Dq hosts and .Sq networks use .Sy IN class entries, all other databases use .Sy HS class (Hesiod) entries. .It nis NIS (formerly YP) .It compat support .Sq +/- in the .Dq passwd and .Dq group databases. If this is present, it must be the only source for that entry. .It cache makes use of the .Xr nscd 8 daemon. .El .Ss Databases The following databases are used by the following C library functions: .Pp .Bl -tag -width networks -compact .It Sy Database .Sy "Used by" .It group .Xr getgrent 3 , .Xr getgrent_r 3 , .Xr getgrgid_r 3 , .Xr getgrnam_r 3 , .Xr setgrent 3 , .Xr endgrent 3 .It hosts .Xr getaddrinfo 3 , .Xr gethostbyaddr 3 , .Xr gethostbyaddr_r 3 , .Xr gethostbyname 3 , .Xr gethostbyname2 3 , .Xr gethostbyname_r 3 , .Xr getipnodebyaddr 3 , .Xr getipnodebyname 3 .It networks .Xr getnetbyaddr 3 , .Xr getnetbyaddr_r 3 , .Xr getnetbyname 3 , .Xr getnetbyname_r 3 .It passwd .Xr getpwent 3 , .Xr getpwent_r 3 , .Xr getpwnam_r 3 , .Xr getpwuid_r 3 , .Xr setpwent 3 , .Xr endpwent 3 .It shells .Xr getusershell 3 .It services .Xr getservent 3 .It rpc .Xr getrpcbyname 3 , .Xr getrpcbynumber 3 , .Xr getrpcent 3 .It proto .Xr getprotobyname 3 , .Xr getprotobynumber 3 , .Xr getprotoent 3 .It netgroup .Xr getnetgrent 3 , .Xr getnetgrent_r 3 , .Xr setnetgrent 3 , .Xr endnetgrent 3 , .Xr innetgr 3 .El .Ss Status codes The following status codes are available: .Pp .Bl -tag -width tryagain -compact .It Sy Status .Sy Description .It success The requested entry was found. .It notfound The entry is not present at this source. .It tryagain The source is busy, and may respond to retries. .It unavail The source is not responding, or entry is corrupt. .El .Ss Actions For each of the status codes, one of two actions is possible: .Pp .Bl -tag -width continue -compact .It Sy Action .Sy Description .It continue Try the next source .It return Return with the current result .El .Ss Format of file A .Tn BNF description of the syntax of .Nm is: .Pp .Bl -tag -width -compact .It ::= ":" [ []]* .It ::= "[" + "]" .It ::= "=" .It ::= "success" | "notfound" | "unavail" | "tryagain" .It ::= "return" | "continue" .El .Pp Each entry starts on a new line in the file. A .Sq # delimits a comment to end of line. Blank lines are ignored. A .Sq \e at the end of a line escapes the newline, and causes the next line to be a continuation of the current line. All entries are case-insensitive. .Pp The default criteria is to return on .Dq success , and continue on anything else (i.e, .Li "[success=return notfound=continue unavail=continue tryagain=continue]" ) . .Ss Cache You can enable caching for the particular database by specifying .Dq cache as the first source in the .Nm file. You should also enable caching for this database in .Xr nscd.conf 5 . If for the particular query .Dq cache source returns success, no further sources are queried. On the other hand, if there are no previously cached data, the query result will be placed into the cache right after all other sources are processed. Note, that .Dq cache requires .Xr nscd 8 daemon to be running. .Ss Compat mode: +/- syntax In historical multi-source implementations, the .Sq + and .Sq - characters are used to specify the importing of user password and group information from .Tn NIS . Although .Nm provides alternative methods of accessing distributed sources such as .Tn NIS , specifying a sole source of .Dq compat will provide the historical behaviour. .Pp An alternative source for the information accessed via .Sq +/- can be used by specifying .Dq passwd_compat: source . .Dq source in this case can be .Sq dns , .Sq nis , or any other source except for .Sq files and .Sq compat . .Ss Notes Historically, many of the databases had enumeration functions, often of the form .Fn getXXXent . These made sense when the databases were in local files, but do not make sense or have lesser relevance when there are possibly multiple sources, each of an unknown size. The interfaces are still provided for compatibility, but the source may not be able to provide complete entries, or duplicate entries may be retrieved if multiple sources that contain similar information are specified. .Pp To ensure compatibility with previous and current implementations, the .Dq compat source must appear alone for a given database. .Ss Default source lists If, for any reason, .Nm does not exist, or it has missing or corrupt entries, .Xr nsdispatch 3 will default to an entry of .Dq files for the requested database. Exceptions are: .Pp .Bl -tag -width services_compat -compact .It Sy Database .Sy "Default source list" .It group compat .It group_compat nis .It hosts files dns .It passwd compat .It passwd_compat nis .It services compat .It services_compat nis .El .Sh FILES .Bl -tag -width /etc/nsswitch.conf -compact .It Pa /etc/nsswitch.conf The file .Nm resides in .Pa /etc . .El .Sh EXAMPLES To lookup hosts in cache, then in .Pa /etc/hosts and then from the DNS, and lookup user information from .Tn NIS then files, use: .Pp .Bl -tag -width passwd: -compact .It hosts: cache files dns .It passwd: nis [notfound=return] files .It group: nis [notfound=return] files .El .Pp The criteria .Dq [notfound=return] sets a policy of "if the user is notfound in nis, do not try files." This treats nis as the authoritative source of information, except when the server is down. .Sh NOTES +The +.Nm +file is parsed by each program only once. +Subsequent changes will not be applied until the program +is restarted. +.Pp If system got compiled with .Va WITHOUT_NIS you have to remove .Sq nis entries. .Pp .Fx Ns 's .Lb libc provides stubs for compatibility with NSS modules written for the .Tn GNU C Library .Nm nsswitch interface. However, these stubs only support the use of the .Dq Li passwd and .Dq Li group databases. .Sh SEE ALSO .Xr nsdispatch 3 , .Xr nscd.conf 5 , .Xr resolv.conf 5 , .Xr nscd 8 , .Xr ypbind 8 .Sh HISTORY The .Nm file format first appeared in .Fx 5.0 . It was imported from the .Nx Project, where it appeared first in .Nx 1.4 . .Sh AUTHORS .An Luke Mewburn Aq Mt lukem@netbsd.org wrote this freely distributable name-service switch implementation, using ideas from the .Tn ULTRIX .Xr svc.conf 5 and .Tn Solaris .Xr nsswitch.conf 4 manual pages.