Skip to content
/ libnss_shim Public

Perform Name Service Switch (NSS) lookups with custom commands

License

GPL-3.0 license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xenago/libnss_shim

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

72 Commits
.github/workflows
.github/workflows
 
 
changelog
changelog
 
 
cross
cross
 
 
debian
debian
 
 
default_config
default_config
 
 
docs
docs
 
 
samples
samples
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 
rust-toolchain.toml
rust-toolchain.toml
 
 

Repository files navigation

libnss_shim

Respond to Name Service Switch lookups with the output of custom commands. Both JSON and the typical colon-separated *nix format are supported.

Overview

libnss_shim is an adapter to make integration with NSS easier. It is an NSS/nsswitch service that runs commands defined per-function in /etc/libnss_shim/config.json.

  • Commands can output responses to queries either in the colon-delimited Unix format, or in JSON
  • The output of each command execution is parsed from stdout and validated before being passed back to NSS
  • The group, passwd, and shadow NSS databases/services are supported
  • See the documentation for additional information

Demonstration

samples/basic

A more complex example implementation with config, scripts and Dockerfile can be found at samples/advanced.

Background

Custom PAM modules alone are not enough to create a custom Linux authentication process - integration with NSS is also required to inject custom user data to group/passwd/shadow lookups earlier in the login flow.

In other words: NSS determines if an account exists, and PAM determines how an account can be accessed.

For example, SSSD leverages both NSS and PAM to enable seamless LDAP authentication. Integrating directly with NSS can be difficult, so libnss_shim was created to allow any command that can print to stdout in a supported format to be used with NSS.

Installation

Compatibility notes

  • Tested on:
    • Debian 11
    • Debian 12
    • Ubuntu 20.04
    • Ubuntu 22.04
    • Ubuntu 24.04
    • CentOS 7
    • AlmaLinux 8
    • AlmaLinux 9
  • Builds for amd64 and aarch64 architectures
    • See Development in the docs for information about building for other architectures
  • Packaged in .deb and .rpm formats
    • If those formats are not supported by a target platform, libnss_shim might be usable if the assets are installed as described in Cargo.toml prior to running the debian/postinst script, but this has not been tested extensively
  • To request support for a different configuration, please create an issue

Install/Upgrade

  1. Prepare the commands/software that will be triggered by libnss_shim. See Commands in the docs for details.

  2. Download the latest release produced by GitHub Actions.

    AMD64 deb:

    curl -sLo libnss_shim.deb https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim_1.2.1-1_amd64.deb

    AMD64 RPM:

    curl -sLo libnss_shim.rpm https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim-1.2.1-1.x86_64.rpm

    Full table:

    Architecture Package Link
    amd64 deb libnss_shim_1.2.1-1_amd64.deb
    amd64 RPM libnss_shim-1.2.1-1.x86_64.rpm
    aarch64 deb libnss_shim_1.2.1-1_arm64.deb
    aarch64 RPM libnss_shim-1.2.1-1.aarch64.rpm

    See Downloading and Attestations in the docs for more details.

  3. Install or upgrade it directly with dpkg or rpm.

    deb:

    sudo dpkg -i libnss_shim.deb

    RPM:

    sudo rpm -Uv ./libnss_shim.rpm

  4. Configure the shim by importing a custom config.json.

    e.g.

    sudo cp custom_config.json /etc/libnss_shim/config.json

    Using the default config.json, libnss_shim should have no effect, as the default configuration has commands defined that output nothing. Updates to the config take effect immediately and can be performed at any time after libnss_shim has been installed and used, without restarting.

    See Configuration and Commands in the docs for details.

  5. When installed, libnss_shim is mapped as shim in /etc/nsswitch.conf as the last source for all supported databases. In that file, the access order for each database's sources can be changed, shim can be removed from specific locations if not required, etc.

    Because nsswitch.conf is read only once per-process, any software actively using it will need to be restarted to access libnss_shim when it is installed. Rebooting the system is often the safest/easiest way to do this:

    sudo reboot

    See Interaction with /etc/nsswitch.conf in the docs for details.

  6. Perform NSS queries to validate the installation, for example using the built-in getent tool.

    Some sample commands to test your implementation:

    getent group
getent passwd
getent shadow
getent group <groupname>

    A very basic test config is available that will respond to getent group calls with a fake group (like in the demo GIF):

    curl -sLo /etc/libnss_shim/config.json https://raw.githubusercontent.com/xenago/libnss_shim/main/samples/basic/custom_config.json
getent group | tail -1

    If the installation worked, the output should look like:

    test-shim-group::1008:fake-username,another-user

Uninstall

  1. To remove libnss_shim, run the same package manager used for installation.

    deb:

    sudo dpkg -r libnss_shim

    RPM:

    sudo rpm -e libnss_shim

  2. As mentioned above, nsswitch.conf is read only once per-process so restarting affected applications is required to apply the change. A system reboot is an effective way to do this:

    sudo reboot

Security

The libnss_shim NSS plugin runs commands defined in /etc/libnss_shim/config.json, which only root can edit by default. Ensure that this file, the commands defined inside it, and any other related resources remain read-only to other users, or the system may be vulnerable to privilege escalation attacks. Do not store secrets in config.json or any other file which can be read by non-root users.

To enable non-root users to access resources defined by libnss_shim, they must be able to access the commands defined in config.json. For example, if a file group-script.py is being used to resolve group queries, it will need to be readable (along with the Python interpreter used to run it):

sudo chown root:root /path/to/custom/group-script.py
sudo chmod 644 /path/to/custom/group-script.py

However, as the shadow database is generally only accessed via su/setuid etc., programs used to resolve shadow queries can be left as 640:

sudo chown root:root /path/to/custom/shadow-script.py
sudo chmod 640 /path/to/custom/shadow-script.py

It is recommended to pass data (like <$name>) using environment variables rather than arguments, except for testing purposes. Environment variables are generally private, whereas commands/launch args are not.

Commands are not passed through a shell for execution. Although it is possible to run software like bash with libnss_shim, using a shell is not recommended as this comes with additional risks such as command injection.

See Attestations in the docs for information about validating official libnss_shim release artifacts.

See SECURITY.md for information about reporting security problems.

About

Perform Name Service Switch (NSS) lookups with custom commands

Topics

linux rust debian ubuntu nss libnss nsswitch

Resources

Readme

License

GPL-3.0 license

Security policy

Security policy
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 9

1.2.1 Latest
Jun 5, 2024
+ 8 releases

Languages