From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Re: Design for extensible passwd[/shadow?] db support
Date: Sun, 12 Aug 2012 16:56:43 -0400 [thread overview]
Message-ID: <20120812205643.GT27715@brightrain.aerifal.cx> (raw)
In-Reply-To: <dcb69a5c01f3d7bed944b68126616172@exys.org>
On Sun, Aug 12, 2012 at 09:10:16PM +0200, Arvid E. Picciani wrote:
> On Sun, 12 Aug 2012 01:38:02 -0400, Rich Felker wrote:
>
> >What I'm looking for is a way to allow musl to access user data
> >that's
> >not provided with flat files in /etc,
>
> I'm not sure why user auth is in libc in the first place.
This is not auth, it's just lookups. Translating uids to usernames and
back.
> >[..] can query a local daemon [..]
>
> >The first main question is what protocol to use.
>
> well, so use the existing rpc. it fullfills the given requirements,
> and is compatible with the stuff out there.
Not an option. It's massively bloated and full of security issues.
There is a legitimate need for what NIS provides, but doing it with
NIS and the RPC system is backwards and stupid. Putting this
backwardsness in libc just creates more cost for people who want to do
it right.
> >Alternatively, we could make musl speak an existing query language
> >(e.g. LDAP) directly
>
> And pull even more policy into libc?
I'm not sure how this is adding policy. I consider the other solution
glibc chose, nss, to be policy. It forces your apps to have dynamic
loader support in them, forces you to have config files in place and
shared libraries present in hard-coded paths, etc. My intent is to
minimize any such requirements, and leave them at absolute zero except
for people who need giant specially-backed user databases.
> Then everyone has to patch
> libc to adapt to the local ldap layout? or another config?
It's the intent that nobody should ever have to patch libc for the
sake of accessing their user database. That's what this thread is
about. I'm not familar with how LDAP is used in the wild for this
purpose, or if it even is, so I don't know how easy it would be to
directly interface with diverse existing LDAP servers, but it seems
like it would be a reasonable, simple proxy language for lookups,
whereby any customization could go in the proxy.
See my later post about nscd; it might be a better choice.
> There is a need for the things you want to do here, but i think
> this is the line where it's time to go into higher layers.
I don't follow. What alternative are your proposing?
Rich
next prev parent reply other threads:[~2012-08-12 20:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-12 5:38 Rich Felker
2012-08-12 15:16 ` Jeremy Huntwork
2012-08-12 17:27 ` Rich Felker
2012-08-12 17:34 ` Rich Felker
2012-08-12 19:10 ` Arvid E. Picciani
2012-08-12 20:56 ` Rich Felker [this message]
2012-08-13 9:41 ` Arvid E. Picciani
2012-08-13 12:27 ` Luca Barbato
2012-08-13 12:46 ` Kurt H Maier
2012-08-13 13:50 ` Rich Felker
2012-08-13 19:22 ` Arvid E. Picciani
2012-08-13 19:28 ` Rich Felker
2012-08-13 19:38 ` Arvid E. Picciani
2012-08-13 19:50 ` Rich Felker
2012-08-13 20:14 ` Arvid E. Picciani
2012-08-13 21:03 ` Rich Felker
2012-08-13 22:10 ` Luca Barbato
2012-08-13 0:26 idunham
2012-08-13 0:31 ` Rich Felker
2012-08-13 10:45 ` Daniel Cegiełka
2012-08-13 13:46 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120812205643.GT27715@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).