Bug 167083 - Add support for /etc/sysconfig/nscd
Add support for /etc/sysconfig/nscd
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-30 00:15 EDT by Dax Kelson
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.3.90-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-13 02:46:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to /etc/init.d/nscd to add /etc/sysconfig/nscd support (568 bytes, patch)
2005-08-30 00:15 EDT, Dax Kelson
no flags Details | Diff

  None (edit)
Description Dax Kelson 2005-08-30 00:15:11 EDT
Description of problem:

In our environment we need to set some environment variables (Kerberos related)
when launching nscd. Currently we hack them into /etc/init.d/nscd. Please add
support for an /etc/sysconfig/nscd file so we can cleanly modify the environment
for nscd in a maintainable and future proof way.

How about the following patch to /etc/init.d/nscd ?

--- nscd.org    2005-08-29 22:07:36.000000000 -0600
+++ nscd        2005-08-29 22:10:29.000000000 -0600
@@ -9,6 +9,7 @@
 #              slow naming services like NIS, NIS+, LDAP, or hesiod.
 # processname: /usr/sbin/nscd
 # config: /etc/nscd.conf
+# config: /etc/sysconfig/nscd
 #
 ### BEGIN INIT INFO
 # Provides: nscd
@@ -28,6 +29,8 @@
 # Source function library.
 . /etc/init.d/functions

+[ -f /etc/sysconfig/nscd ] && . /etc/sysconfig/nscd
+
 # nscd does not run on any kernel lower than 2.2.0 because of threading
 # problems, so we require that in first place.
 case $(uname -r) in
Comment 1 Dax Kelson 2005-08-30 00:15:11 EDT
Created attachment 118236 [details]
patch to /etc/init.d/nscd to add /etc/sysconfig/nscd support
Comment 2 Dax Kelson 2005-08-30 00:17:17 EDT
It would be great to get this change into RHEL4 as well. Should I open another bug??
Comment 3 Jakub Jelinek 2005-08-30 04:57:42 EDT
I guess you should first explain what environment variables and why you
specifically need them just for nscd, not for all programs.
In that case NSS lookup would work differently if using and if not using nscd.
I don't see how would that be a good thing.
Comment 4 Dax Kelson 2005-08-30 12:54:36 EDT
Consider this configuration:

nscd -----> nss_ldap ------(GSSAPI/Kerberos authenticated connection ---> LDAP

The LDAP server only allows GSSAPI/Kerberos authenticated connections. To allow
the OS and daemons to lookup users and groups via get*ent nscd needs to have
access to a kerberos credentials cache.

In /etc/ldap.conf, among other settings, has:

use_sasl on
sasl_auth_id nssldap/FQDN
krb5_ccname FILE:/etc/.ldapcache

The credendentials cache is kept current via a cron job.

When nscd is started and using the nss_ldap library which in turn uses the
kerberos libraries, it needs the following environment variable:

KRB5CCNAME=/etc/.ldapcache

This is my particular need. I'm sure there many are other uses out there as well.

The simple patch just gives me the flexibility to modify my configuration for my
environment in a clean (supports painless RPM upgrades) fashion that many many
other SysV init scripts use on the system.

This should be a no brainer.
Comment 5 Dax Kelson 2005-08-30 15:29:09 EDT
Here is an updated patch that allows you to set NSCD_OPTIONS in
/etc/sysconfig/nscd. This is useful if you want to set the number of threads
that nscd uses. I can, of course, also use /etc/sysconfig/nscd to set
environment variables if I need to.

For example, in /etc/sysconfig/nscd

NSCD_OPTIONS="-t 8"

Here is the patch.

--- nscd.org    2005-08-29 22:07:36.000000000 -0600
+++ nscd        2005-08-30 13:29:43.000000000 -0600
@@ -9,6 +9,7 @@
 #              slow naming services like NIS, NIS+, LDAP, or hesiod.
 # processname: /usr/sbin/nscd
 # config: /etc/nscd.conf
+# config: /etc/sysconfig/nscd
 #
 ### BEGIN INIT INFO
 # Provides: nscd
@@ -28,6 +29,9 @@
 # Source function library.
 . /etc/init.d/functions

+# Source an auxiliary options file if we have one, and pick up NSCD_OPTIONS.
+[ -f /etc/sysconfig/nscd ] && . /etc/sysconfig/nscd
+
 # nscd does not run on any kernel lower than 2.2.0 because of threading
 # problems, so we require that in first place.
 case $(uname -r) in
@@ -57,7 +61,7 @@
 #      fi
 #   done
     echo -n $"Starting $prog: "
-    daemon /usr/sbin/nscd $secure
+    daemon /usr/sbin/nscd $secure $NSCD_OPTIONS
     RETVAL=$?
     echo
     [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nscd
Comment 6 Jakub Jelinek 2005-08-31 09:14:59 EDT
You still haven't explained why you can't
export KRB5CCNAME=/etc/.ldapcache
in /etc/profile.d/*.sh instead.  If you just set the variable for nscd, the
NSS lookup will not work if nscd is not working for whatever reason.

/etc/init.d/nscd is marked as %config file, so you can edit it.  I don't like
the trend of making startup slower and slower all the time.
Comment 7 Dax Kelson 2005-08-31 13:25:27 EDT
This goes back to the design of Kerberos, nss_ldap and the security model
thereof. The Kerberos credential's cache is unique PER daemon or USER. Each
daemon's or user's cache should only be accessible by that user or daemon. This
is why the nss_ldap credentials cache has the following permissions/ownership:

-rw-------  1 nscd nscd 555 Aug 31 10:57 /etc/.ldapcache

You MUST not make this readable by other uids.

Currently the caches are stored in files, in the future MIT kerberos and Heimdal
will also support caches stored in the kernel (via the keyring support). In
either case, the KRB5CCNAME will be used to specify where the cache is located. 

This is not unqiue to nscd, other daemons require a KRB5CCNAME set to their
specific location as well.

You say, "If you just set the variable for nscd, the NSS lookup will not work if
nscd is not working for whatever reason."

Yes. In a Kerberized LDAP with strong host (and user) authentication this is
intentional. This is how the security model it is designed to work. This is not new.

Modifying the OS supplied /etc/init.d/ scripts is not good practice. This leaves
you vulnerable to missing security fixes and other important changes. It is not
good practice, it is actively discouraged. It causes the creation of .rpmnew
files and extra sysadmin work. It is not safe to programatically edit a script,
while programatically editing sysconfig files is easy.

The /etc/sysconfig/ design is THE answer to the historical mess of editing
/etc/init.d scripts. It is a major benefit of the RH/Linux system administration.

On a RHEL/Fedora box all of the following SysV init scripts use a /etc/syconfig/
file: 

amd, arpwatch, autofs, bgpd, bluetooth, cyrus-imapd, dc_client, dc_server,
dhcp6s, dhcpd, dhcrelay, dund, exim, firstboot, functions, gpm, halt, hidd,
httpd, irda, irqbalance, isdn, kudzu, ldap, named, netdump, netplugd, nfs,
nfslock, ntpd, ospf6d, ospfd, pand, pcmcia, portmap, postgresql, radvd, rhnsd,
ripd, ripngd, rpcgssd, rpcsvcgssd, saslauthd, sendmail, smartd, smb,
spamassassin, squid, sshd, syslog, tux, vncserver, winbind, xinetd, yppasswdd, zebra

It is inconsistent to treat nscd different.

I don't thing anyone would argue that bootup speed trumps all other concerns
(like consistency and maintainability). Besides nscd is NOT started by default.
Comment 8 Dax Kelson 2005-09-02 18:34:03 EDT
Any response?

BTW, I tested on a vanilla FC4 box.  I modified /etc/init.d/nscd, then I ran
"yum -y update".

After it finished, it replaced my modified nscd SysV init script. Observe:

[root@mybox init.d]# ls -al nscd*
-rwxr-xr-x  1 root root 2640 Sep  2 16:30 nscd
-rwxr-xr-x  1 root root 2228 Sep  2 13:46 nscd.rpmsave
[root@mybox init.d]#
Comment 9 Kostas Georgiou 2005-10-19 12:23:18 EDT
I would like to see this in RHEL3|4 as well. Dax you haven't submitted any bugs
from RHEL about it as far as i can see right?

Note You need to log in before you can comment on or make changes to this bug.