From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/1550 Path: news.gmane.org!not-for-mail From: idunham@lavabit.com Newsgroups: gmane.linux.lib.musl.general Subject: Re: Design for extensible passwd[/shadow?] db support Date: Sun, 12 Aug 2012 20:26:24 -0400 (EDT) Message-ID: <20538.50.0.229.11.1344817584.squirrel@lavabit.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Trace: dough.gmane.org 1344817601 8554 80.91.229.3 (13 Aug 2012 00:26:41 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 13 Aug 2012 00:26:41 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-1551-gllmg-musl=m.gmane.org@lists.openwall.com Mon Aug 13 02:26:38 2012 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1T0iUQ-00024k-7R for gllmg-musl@plane.gmane.org; Mon, 13 Aug 2012 02:26:38 +0200 Original-Received: (qmail 17491 invoked by uid 550); 13 Aug 2012 00:26:37 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 17483 invoked from network); 13 Aug 2012 00:26:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lavabit; d=lavabit.com; b=JcZnepVtu+DRz29hA54loSIaYkTi3i4nR2tksu2RBVBLnviEKLg3H3GLVodEL2VFVxeN4+PX4DZIRkkXPLIjUGrD9NKQWOxs+MHf40VkVGgBnFRM98HMxe1HhroUwuVLXnuL/qvjK/Fzeocoq83GBXTTUjOiTlPAEjvOokKJKy4=; h=Message-ID:Date:Subject:From:To:User-Agent:MIME-Version:Content-Type:Content-Transfer-Encoding; User-Agent: SquirrelMail/1.4.13 Xref: news.gmane.org gmane.linux.lib.musl.general:1550 Archived-At: > Presumably at some point, musl will be used in environments where it's > not feasible to have the entire user database in a flat password file. > Despite NIS being hideous, largish institutions use it for this > reason; presumably LDAP is a much better option, and there may be > other options still I'm not aware of. Out of curiosity, is PAM excluded from consideration? Does it require a dynamically-loaded library? And will the pam-lite source ever show up somewhere? ;) > What I'm looking for is a way to allow musl to access user data that's > not provided with flat files in /etc, but without bloating musl or > introducing dependencies on abominations like RPC. > > The idea I have is to add a single lookup method to musl, whereby it > can query a local daemon of some sort for user information in a clean, > simple protocol. Such a daemon can in turn translate to NIS, if > desired, or to SQL db queries, or to whatever back-end the admin wants > to use. I'm fairly settled on this general approach, but since I'm not > at all familiar with the existing approaches, I'd like to seek some > further input. > > The first main question is what protocol to use. One really simple > choice would be a plain text protocol where the name/uid of requested > user is sent over a socket (probably a datagram unix socket) and the > response comes back in standard colon-delimited passwd format for the > existing passwd code to parse. This seems very clean, but as far as I > know it doesn't have any existing implementations. I presume, for security reasons, that this would be the contents of /etc/passwd as found on shadow-enabled systems...but how does the password get authenticated? Or are unix sockets immune to sniffing? > Alternatively, we could make musl speak an existing query language > (e.g. LDAP) directly, such that it could interface with any existing > server out there that speaks the chosen protocol, or with a proxy that > translates to other protocols like NIS. If you do any sort of communication over sockets/networks/... with a daemon, I'd suggest having musl communicate with a PAM-capable daemon. PAM is meant for scenarios like this. Isaac Dunham