1171291 – Add nss-altfiles to rpcbind user lookup path

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1171291 - Add nss-altfiles to rpcbind user lookup path

Summary: Add nss-altfiles to rpcbind user lookup path

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rpcbind
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Dickson
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1260020 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-05 20:26 UTC by Colin Walters
Modified:	2015-11-19 05:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	rpcbind-0.2.0-27.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1159941
Environment:
Last Closed:	2015-11-19 05:32:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
0001-Backport-fix-for-altfiles-bz-1171291.patch (5.80 KB, patch) 2014-12-05 20:29 UTC, Colin Walters	no flags	Details \| Diff
update backport.... (6.68 KB, text/plain) 2014-12-15 20:49 UTC, Steve Dickson	no flags	Details
use --with-nss-modules to add 'altfiles' (327 bytes, patch) 2014-12-22 16:34 UTC, Sami Wagiaalla	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1261093	0	high	CLOSED	nss-altfiles does not fill out group member array	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:2205	0	normal	SHIPPED_LIVE	rpcbind bug fix update	2015-11-19 08:17:40 UTC

Internal Links: 1261093

Description Colin Walters 2014-12-05 20:26:57 UTC

+++ This bug was initially created as a clone of Bug #1159941 +++

Hi,

I was having trouble setting up NFS on atomic host (http://www.projectatomic.io/). It turns out that there is a problem when rpcbind is trying to find the uid of the rpc user. OSTree based operating systems store user information for systems users such as the rpc user in /usr/lib/passwd and leaves /etc/passwd for humans users. This is achieved by the use the nss module nss-altfiles (https://apps.fedoraproject.org/packages/nss-altfiles) which allows one to specify additional files to be added the the passwd database. rpcbind however overrides the rule added to /etc/nsswitch.conf and removes altfiles by doing the following:
 
    __nss_configure_lookup("passwd", "files");

This is done presumably to avoid checking remote users, but I was wondering if its possible to add altfiles as follows:

~~~~~~
--- src/rpcbind.c
+++ src/rpcbind.c
@@ -226,7 +226,7 @@ main(int argc, char *argv[])
 		 * Make sure we use the local password file
 		 * for these lookups.
 		 */
-		__nss_configure_lookup("passwd", "files");
+		__nss_configure_lookup("passwd", "files altfiles");
 
 		if((p = getpwnam(id)) == NULL) {
 			syslog(LOG_ERR, "cannot get uid of '%s': %m", id);

~~~~~~

If altfiles is not present it is simply ignored

WDYT ?

--- Additional comment from Sami Wagiaalla on 2014-11-03 11:35:42 EST ---



--- Additional comment from Steve Dickson on 2014-11-06 11:04:28 EST ---

(In reply to Sami Wagiaalla from comment #1)
> Created attachment 953168 [details]
> A proper patch

Could please post the patch (minus the spec file changes) 
to libtirpc-devel.net and linux-nfs.org
mailing lists, using the correct patch formats which is defined in 
https://www.kernel.org/doc/Documentation/SubmittingPatches

--- Additional comment from Colin Walters on 2014-11-07 10:58:37 EST ---

Another approach would be a build-time configure option that would be usable by the distribution.  For example:

./configure --with-nss-modules="files altfiles" could be used in Fedora, and would allow any other OS vendor who has custom NSS configuration.

Note due to the way NSS works it's fine for Fedora to add altfiles, it will be harmless if nss-altfiles is not installed.

--- Additional comment from Sami Wagiaalla on 2014-11-07 12:02:36 EST ---

(In reply to Steve Dickson from comment #2)
> (In reply to Sami Wagiaalla from comment #1)
> > Created attachment 953168 [details]
> > A proper patch
> 
> Could please post the patch (minus the spec file changes) 
> to libtirpc-devel.net and linux-nfs.org
> mailing lists, using the correct patch formats which is defined in 
> https://www.kernel.org/doc/Documentation/SubmittingPatches

Thanks for the pointers! I will post a patch upstream.

(In reply to Colin Walters from comment #3)
> Another approach would be a build-time configure option that would be usable
> by the distribution.  For example:
> 
> ./configure --with-nss-modules="files altfiles" could be used in Fedora, and
> would allow any other OS vendor who has custom NSS configuration.
> 

Ah! that would be more applicable upstream than hard-coding in altfiles. I will post a patch to that effect upstream as Steve suggested

--- Additional comment from Sami Wagiaalla on 2014-11-10 10:07:43 EST ---

Patch posted upstream:

https://sourceforge.net/p/libtirpc/mailman/message/33015641/

--- Additional comment from Fedora Update System on 2014-11-10 12:57:42 EST ---

rpcbind-0.2.1-4.0.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/rpcbind-0.2.1-4.0.fc21

--- Additional comment from Sami Wagiaalla on 2014-11-10 13:54:41 EST ---

Now that the configuration option is upstream this patch uses the option to enable the altfiles modules

--- Additional comment from Fedora Update System on 2014-11-11 21:44:54 EST ---

Package rpcbind-0.2.1-4.0.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rpcbind-0.2.1-4.0.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14782/rpcbind-0.2.1-4.0.fc21
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-11-18 07:08:41 EST ---

rpcbind-0.2.1-4.0.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Sami Wagiaalla on 2014-12-01 11:35:53 EST ---

Hmmm.. the bug was closed by the Fedora Update System but the issue is not quite addressed yet.
The updated rpm contains the configuration option for adding nss modules but the configuration in the specfile must be updated to include altfiles as per  attachment 955950 [details]

--- Additional comment from Colin Walters on 2014-12-05 14:50:31 EST ---

So, it actually works in rawhide, due to a chain of *other* bugs =)

The history here is pretty funny actually.  First, we have:

http://git.infradead.org/users/steved/rpcbind.git/commit/8d7a0708f14b22df100d64bcadfb66598052a950

A patch from a Gentoo developer to clean up the autotools, and notably drops the HAVE_NSS_H check.

Next we have:

http://git.infradead.org/users/steved/rpcbind.git/commitdiff/c4814d539434391df4dfa61551e5e2e96947326d?hp=86036582c001e99075f4d74cb3829df39f2a9ddf

A patch from a different Gentoo developer which relies on the HAVE_NSS_H check that was removed a little more than two years (!) earlier.  Of course, in between there were a grand total of 9 commits.

About a half a year later, we have the commit for this bug:

http://git.infradead.org/users/steved/rpcbind.git/commit/d30515b11bea3171b2ba0373f0eda132992538b7

I'm sure Sami tested it, and noticed it worked, but because he was forward-porting a patch, didn't notice it worked *without* his patch too.

Anyways so, two action items:

1) Reintroduce the HAVE_NSS_H check in configure.ac
2) Fix the Fedora spec file as Sami says in comment #10

--- Additional comment from Colin Walters on 2014-12-05 15:06:52 EST ---

Comment 1 Colin Walters 2014-12-05 20:29:25 UTC

Created attachment 965218 [details]
0001-Backport-fix-for-altfiles-bz-1171291.patch

Steve, can we possibly get this in 7.1?  If not, can it be queued for 7.2?  I'd like to pull it in for the Atomic Beta release update.

Comment 3 Steve Dickson 2014-12-15 20:49:13 UTC

Created attachment 969293 [details]
update backport....

Comment 4 Sami Wagiaalla 2014-12-22 16:34:55 UTC

Created attachment 972083 [details]
use --with-nss-modules to add 'altfiles'

Comment 5 Sami Wagiaalla 2014-12-22 16:36:22 UTC

In addition to  attachment 969293 [details] we'll need to update the configuration to add altfiles (attachment 972083 [details])

Comment 6 Sami Wagiaalla 2015-01-13 14:52:35 UTC

Hi Steve.. have you had a chance to look into this ?

Comment 7 Steve Dickson 2015-01-13 17:42:48 UTC

(In reply to Sami Wagiaalla from comment #6)
> Hi Steve.. have you had a chance to look into this ?

Yes.. its queued up for 7.2 and it will be a backport of

commit d30515b11bea3171b2ba0373f0eda132992538b7
Author: Sami Wagiaalla <swagiaal>
Date:   Mon Nov 10 12:24:05 2014 -0500

    nfs: Add '--with-nss-modules' configure option to specify nss modules
    
    From: Sami Wagiaalla <swagiaal>

Comment 8 Sami Wagiaalla 2015-01-13 20:11:53 UTC

(In reply to Steve Dickson from comment #7)
> (In reply to Sami Wagiaalla from comment #6)
> > Hi Steve.. have you had a chance to look into this ?
> 
> Yes.. its queued up for 7.2 and it will be a backport of
> 
> commit d30515b11bea3171b2ba0373f0eda132992538b7
> Author: Sami Wagiaalla <swagiaal>
> Date:   Mon Nov 10 12:24:05 2014 -0500
> 
>     nfs: Add '--with-nss-modules' configure option to specify nss modules
>     
>     From: Sami Wagiaalla <swagiaal>

Great!.. but what about using the option in the specfile to add 'altfiles' ? (attachment 972083 [details])

Also, any chance of getting this in 7.1 ?

Comment 9 Colin Walters 2015-01-13 20:13:28 UTC

If it's not in 7.1 (which is probably not possible now as it's deep frozen) we can likely ask RCM to have it pulled specifically into Atomic's override set until 7.2.

Comment 10 Steve Dickson 2015-01-15 13:58:49 UTC

(In reply to Colin Walters from comment #9)
> If it's not in 7.1 (which is probably not possible now as it's deep frozen)
> we can likely ask RCM to have it pulled specifically into Atomic's override
> set until 7.2.

Maybe we can added this to the z-stream??

Comment 11 Colin Walters 2015-01-16 17:35:32 UTC

I've branched rpcbind with as "atomic-rhel-7.1" and backported the fix:

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8551108

Steve, when 7.2 opens up can we merge this patch there?  Thanks!

Comment 14 Yongcheng Yang 2015-05-14 08:34:41 UTC

Verified with rpcbind-0.2.0-27.el7.src.rpm

[yyc@dhcp-12-138 rpcbind-0.2.0]$ cat Makefile.am | grep nss_modules
	-DNSS_MODULES="\"$(nss_modules)\"" \
[yyc@dhcp-12-138 rpcbind-0.2.0]$ cat configure.ac | grep -i nss_modules
AC_ARG_WITH([nss_modules],
  AS_HELP_STRING([--with-nss-modules=NSS_MODULES]
  ,, [with_nss_modules=files])
AC_SUBST([nss_modules], [$with_nss_modules])
[yyc@dhcp-12-138 rpcbind-0.2.0]$ 
[yyc@dhcp-12-138 rpcbind-0.2.0]$ cat src/rpcbind.c | grep -A3 NSS_MODULES
#ifdef NSS_MODULES
char *nss_modules = NSS_MODULES;
#else
char *nss_modules = "files";
#endif
[yyc@dhcp-12-138 rpcbind-0.2.0]$ cat src/rpcbind.c | grep __nss_configure_lookup
	__nss_configure_lookup("services", nss_modules);
		__nss_configure_lookup("passwd", nss_modules);
[yyc@dhcp-12-138 rpcbind-0.2.0]$ ./configure --help 
`configure' configures rpcbind 0.2.0 to adapt to many kinds of systems.
<snip>
  --with-rpcuser=ARG      use ARG for RPC [default=root]
  --with-nss-modules=NSS_MODULES

                          Sets the nss module search list to the given
                          space-delimited string. For example
                          --with-nss-modules="files altfiles" [default=files]
<snip>
[yyc@dhcp-12-138 rpcbind-0.2.0]$ 

Move to VERIFIED

Comment 17 Fabian Deutsch 2015-09-04 12:41:56 UTC

*** Bug 1260020 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2015-11-19 05:32:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2205.html

Note You need to log in before you can comment on or make changes to this bug.