Authselect: nsswitch.conf modification in packages

Related Tickets

• https://github.com/pbrezina/authselect/issues/77
• https://github.com/pbrezina/authselect/issues/51

Problem Statement

Packages that installs an nsswitch module sometimes automatically enable this module after installation. They do this by parsing and modifying /etc/nsswitch.conf file (using shell script in %post section of their spec file). This routine is not very popular by package maintainers but they currently have no other choice if they want to enable the module automatically. Additionally, this way conflicts with authselect as /etc/nsswitch.conf file should not be modified directly on system that is configured by authselect but the preferred way is to modify /etc/authselect/user-nsswitch.conf and calling authselect apply-changes to reflect these changes in currently selected profile.

Affected packages

Research shown that there are only two packages that touch nsswitch.conf to enable nsswitch modules they provide in Fedora: systemd and nss-mdns.

nss-mdns

This package installs mdns, mdns_minimal, mdns4, mdns4_minimal, mdns6, mdsn6_minimal modules to be used in hosts database. Only mdns4_minimal is enabled by default.

These modules are used for multicast DNS on IPv4 (mdns4), IPv6 (mdns6) or both (mdns). Modules with _minimal suffix resolve only DNS names ending with .local.

systemd

This package installs myhostname, mymachines, resolve and systemd modules. Only myhostname and systemd are enabled automatically in scriptlet.

• myhostname (hosts)- this module is used to dynamically resolve current machine hostname to local IP addresses instead of adding it to /etc/hosts.
• mymachines (hosts, passwd, group) - resolution of container names registered with systemd-machined and mapped user and group names.
• resolve (hosts) - client for systemd-resolved which is a replacement for dns module.
• systemd (passwd, group) - resolver for dynamic users and groups (DynamicUser option in unit files)

Immediate fix

Scriptlets in packages have to be updated to be compatible with authselect configurations as well. This must be done for Fedora 28 and 29 and we can figure a better way to do this in Fedora 30 which is the purpose of this document.

Example of such scriptlet that work with authselect can be found here:

 function mod_nss() {
     if [ -f "$1" ] ; then
         # sed-fu to add myhostname to hosts line
         grep -E -q '^hosts:.* myhostname' "$1" ||
         sed -i.bak -e '
                 /^hosts:/ !b
                 /\<myhostname\>/ b
                 s/blank:*$/ myhostname/
                 ' "$1" &>/dev/null || :
     ...
 }
 
 FILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)"
 if [ "$FILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &> /dev/null; then
     mod_nss "/etc/authselect/user-nsswitch.conf"
     authselect apply-changes &> /dev/null
 else
     mod_nss "$FILE"
     # also apply the same changes to user-nsswitch.conf to affect
     # possible future authselect configuration
     mod_nss "/etc/authselect/user-nsswitch.conf"
 fi

Proposed solutions for Fedora 30

1. Continue using updated scriptlets

This is the easiest solution as the work will be done anyway.

2. Provide authselect command to update nsswitch.conf

To solve this problem, authselect will provide a simple API with package maintainers as its major consumers. This API will configure nsswitch.conf correctly in both cases: when the system is configured by authselect and when it is not. The required behavior is:

• When system is configured by authselect, it will modify /etc/authselect/user-nsswitch.conf and call authselect apply-changes.
• When system is not configured by authselect, it will modify both /etc/authselect/user-nsswitch.conf (so the changes are kept when administrator decides to use authselect) and /etc/nsswitch.conf (so the changes take immediate effect).

This is a good solution for both parties, however it is probably an overkill since only two packages would be using it and it will just add additional burden to authselect. The amount of work needed to do this in authselect exceeds work needed to change the scriptlets. In addition, enabling modules in %post should be considered a temporary solution, and the need for this API should disappear.

3. Add these packages to authselect profiles

We can add these packages as optional modules in authselect profiles. This way, administrator can easily enable or disable them. For example:

 $ sudo authselect sssd with-mdns with-myhostname

Advantage of this is that administrators could enable and disable these modules at will which would be very welcomed. However, at this moment, administrators on systems configured with authselect manages hosts line in /etc/authselect/user-nsswitch.conf and this would therefore require a Fedora Change.

Disadvantage of this is that the number of modules is big and it will make the profiles harder to maintain. It is also questionable whether systemd modules should be enabled by default or not as this change was already requested in glibc (here and here) but the requests were not resolved for several years. We should probably support also other modules that can be used in hosts database (e.g. libvirt module) so administrator have still control over this line which would again increase the burden.

• Q: Should we support also other modules (e.g. libvirt)?
• A:

• Q: Should systemd module be enabled by default?
• A:

• Q: Should myhostname module be enabled by default?
• A:

• Q: Should mymachine module be enabled by default?
• A:

• Q: Should resolve module be enabled by default?
• A: No. This is a specific use-case and does not have to be default.

• Q: How should the hosts line look like?
• A: To be done.

4. Stop using these scriptlets at all

Packages should not enable these modules automatically and should left their configuration on administrator. This can be of course combined with solution 3.