[gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Joakim Tjernlund]

I wonder if it would be possible to use the script from sys-apps/getent(included below)
to impl. getent in user.eclass instead of using glibc's getent? I cannot see any downside, is there one?

This would help a lot(just seed your groups/users is in ROOT/etc/{passwd,group ...} first)
when cross building or ROOT != / as it would be trivial for the script to respect ROOT/EPREFIX 

sys-apps/getent:
#!/bin/sh
#
# Closely (not perfectly) emulate the behavior of glibc's getent utility
#
#passwd|shadow|group|aliases|hosts|networks|ethers|netgroup|protocols|services|rpc
# only returns the first match (by design)
# dns based search is not supported (hosts,networks)
# case-insensitive matches not supported (ethers; others?)
# may return false-positives (hosts,protocols,rpc,services,ethers)

[ -z "$PATH" ] && PATH="/bin:/usr/bin" || PATH="${PATH}:/bin:/usr/bin" export PATH

file="/etc/$1"
case $1 in
        passwd|group)
                match="^$2:\|^[^:]*:[^:]*:$2:" ;;
        shadow)
                match="^$2:" ;;
        networks|netgroup)
                match="^[[:space:]]*$2\>" ;;
        hosts|protocols|rpc|services|ethers)
                match="\<$2\>" ;;
        aliases)
                match="^[[:space:]]*$2[[:space:]]*:" ;;
        ""|-h|--help)
                echo "USAGE: $0 database [key]"
                exit 0 ;;
        *)
                echo "$0: Unknown database: $1" 1>&2
                exit 1 ;;
esac

if [ ! -f "$file" ] ; then
        echo "$0: Could not find database file for $1" 1>&2
        exit 1
fi

if [ $# -eq 1 ] ; then
        exec cat "$file"
else
        sed "s/#.*//; /$match/q; d" "$file" | grep . || exit 2
fi

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Mike Gilbert]

On Wed, Jun 10, 2015 at 12:44 PM, Joakim Tjernlund
<joakim.tjernlund@transmode.se> wrote:
> I wonder if it would be possible to use the script from sys-apps/getent(included below)
> to impl. getent in user.eclass instead of using glibc's getent? I cannot see any downside, is there one?
>

glibc's getent can get data from any NSS plugin (ie. LDAP, MySQL,
etc). Switching to use sys-apps/getent would mean that lookups would
only be performed against the local flat files.

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Anthony G. Basile]

On 6/10/15 1:52 PM, Mike Gilbert wrote:
> On Wed, Jun 10, 2015 at 12:44 PM, Joakim Tjernlund
> <joakim.tjernlund@transmode.se> wrote:
>> I wonder if it would be possible to use the script from sys-apps/getent(included below)
>> to impl. getent in user.eclass instead of using glibc's getent? I cannot see any downside, is there one?
>>
> glibc's getent can get data from any NSS plugin (ie. LDAP, MySQL,
> etc). Switching to use sys-apps/getent would mean that lookups would
> only be performed against the local flat files.
>

I added sys-apps/getent for musl and did not expect it to be used by 
anything else.   When I moved that script into sys-libs/musl, I masked 
getent:

# /usr/portage/profiles/package.mask:
# Anthony G. Basile <blueness@gentoo.org> (14 May 2015)
# No longer required by any packages in the tree.
# Masked for removal in 30 days.

If you want to keep it, we can remove the mask, but it does block 
against glibc and uclibc.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

On Wed, Jun 10, 2015 at 04:44:17PM +0000, Joakim Tjernlund wrote:
> I wonder if it would be possible to use the script from sys-apps/getent(included below)
> to impl. getent in user.eclass instead of using glibc's getent? I
> cannot see any downside, is there one?
> 
> This would help a lot(just seed your groups/users is in ROOT/etc/{passwd,group ...} first)
> when cross building or ROOT != / as it would be trivial for the script to respect ROOT/EPREFIX 
This would totally break when those services come from an NSS provider
other than files or compat.

There was a non-upstream patch to support NSS on non-root filesystems,
which would probably help a lot more; I haven't seen that original patch
in a while, so here's a very quick and completely untested
re-implementation of it.

In your case, you probably should MAKE sure that regardless of the
system nsswitch settings, the NSS file provider gets used.

Usage: NSS_FILES_ROOT=$ROOT/etc getent -s files passwd ...

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

[-- Attachment #2: glibc-2.21-nss_files_root.patch --]
[-- Type: text/x-diff, Size: 1651 bytes --]

nss_files: non-/ root support via env

In building systems eg cross-compile, it can be very useful to run getent on a
different root path.

This is a very rough, completely untested patch to implement it, based on a
patch I recall seeing many years ago, but can't find anywhere not.

Untested-By: Robin H. Johnson <robbat2@gentoo.org>
Original-Author: Robin H. Johnson <robbat2@gentoo.org>
Not-Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>

diff -Nuar glibc-2.21.orig/nss/nss_files/files-XXX.c glibc-2.21/nss/nss_files/files-XXX.c
--- glibc-2.21.orig/nss/nss_files/files-XXX.c	2015-06-10 11:16:59.282269957 -0700
+++ glibc-2.21/nss/nss_files/files-XXX.c	2015-06-10 11:43:55.582631857 -0700
@@ -38,7 +38,8 @@
 
 #define ENTNAME_r	CONCAT(ENTNAME,_r)
 
-#define DATAFILE	"/etc/" DATABASE
+#define NSS_FILES_ROOT	"/etc/"
+#define DATAFILE	NSS_FILES_ROOT DATABASE
 
 #ifdef NEED_H_ERRNO
 # include <netdb.h>
@@ -75,7 +76,19 @@
 
   if (stream == NULL)
     {
-      stream = fopen (DATAFILE, "rce");
+      char* datafile = DATAFILE;
+      const char* datafile_root;
+      if(datafile_root = secure_getenv("NSS_FILES_ROOT")) {
+#define merged_datafile_len 1024
+	char merged_datafile[merged_datafile_len];
+	strncpy(merged_datafile, datafile_root, merged_datafile_len);
+	strncat(merged_datafile, DATABASE, merged_datafile_len - strlen(merged_datafile));
+	datafile = &merged_datafile;
+	/* If we are using a different root to the files, do not cache */
+        keep_stream = 0; 
+	stayopen = 0;
+      }
+      stream = fopen (datafile, "rce");
 
       if (stream == NULL)
 	status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL;

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Joakim Tjernlund]

On Wed, 2015-06-10 at 14:06 -0400, Anthony G. Basile wrote:
> On 6/10/15 1:52 PM, Mike Gilbert wrote:
> > On Wed, Jun 10, 2015 at 12:44 PM, Joakim Tjernlund
> > <joakim.tjernlund@transmode.se> wrote:
> > > I wonder if it would be possible to use the script from sys-apps/getent(included below)
> > > to impl. getent in user.eclass instead of using glibc's getent? I cannot see any downside, is there one?
> > > 
> > glibc's getent can get data from any NSS plugin (ie. LDAP, MySQL,
> > etc). Switching to use sys-apps/getent would mean that lookups would
> > only be performed against the local flat files.
> > 
> 
> I added sys-apps/getent for musl and did not expect it to be used by 
> anything else.   When I moved that script into sys-libs/musl, I masked 
> getent:
> 
> # /usr/portage/profiles/package.mask:
> # Anthony G. Basile <blueness@gentoo.org> (14 May 2015)
> # No longer required by any packages in the tree.
> # Masked for removal in 30 days.
> 
> If you want to keep it, we can remove the mask, but it does block 
> against glibc and uclibc.
> 

I think one would have to take the guts of the script and transform it into an egetent eclass
function. Your script has done the hard part already so it should be easy to mangle into an eclass
fkn.
       Jocke

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Joakim Tjernlund]

On Wed, 2015-06-10 at 18:48 +0000, Robin H. Johnson wrote:
> On Wed, Jun 10, 2015 at 04:44:17PM +0000, Joakim Tjernlund wrote:
> > I wonder if it would be possible to use the script from sys-apps/getent(included below)
> > to impl. getent in user.eclass instead of using glibc's getent? I
> > cannot see any downside, is there one?
> > 
> > This would help a lot(just seed your groups/users is in ROOT/etc/{passwd,group ...} first)
> > when cross building or ROOT != / as it would be trivial for the script to respect ROOT/EPREFIX 
> This would totally break when those services come from an NSS provider
> other than files or compat.

But does user.eclass support anything but local system users ?

> 
> There was a non-upstream patch to support NSS on non-root filesystems,
> which would probably help a lot more; I haven't seen that original patch
> in a while, so here's a very quick and completely untested
> re-implementation of it.
> 
> In your case, you probably should MAKE sure that regardless of the
> system nsswitch settings, the NSS file provider gets used.
> 
> Usage: NSS_FILES_ROOT=$ROOT/etc getent -s files passwd ...
> 

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Anthony G. Basile]

On 6/10/15 2:49 PM, Joakim Tjernlund wrote:
> On Wed, 2015-06-10 at 14:06 -0400, Anthony G. Basile wrote:
>> On 6/10/15 1:52 PM, Mike Gilbert wrote:
>>> On Wed, Jun 10, 2015 at 12:44 PM, Joakim Tjernlund
>>> <joakim.tjernlund@transmode.se> wrote:
>>>> I wonder if it would be possible to use the script from sys-apps/getent(included below)
>>>> to impl. getent in user.eclass instead of using glibc's getent? I cannot see any downside, is there one?
>>>>
>>> glibc's getent can get data from any NSS plugin (ie. LDAP, MySQL,
>>> etc). Switching to use sys-apps/getent would mean that lookups would
>>> only be performed against the local flat files.
>>>
>> I added sys-apps/getent for musl and did not expect it to be used by
>> anything else.   When I moved that script into sys-libs/musl, I masked
>> getent:
>>
>> # /usr/portage/profiles/package.mask:
>> # Anthony G. Basile <blueness@gentoo.org> (14 May 2015)
>> # No longer required by any packages in the tree.
>> # Masked for removal in 30 days.
>>
>> If you want to keep it, we can remove the mask, but it does block
>> against glibc and uclibc.
>>
> I think one would have to take the guts of the script and transform it into an egetent eclass
> function. Your script has done the hard part already so it should be easy to mangle into an eclass
> fkn.
>         Jocke
To be clear, not mine, but from uclibc.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] Impl. egetent in user.eclass using script from sys-apps/getent?

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 1395 bytes --]

On Wed, Jun 10, 2015 at 11:56 AM, Joakim Tjernlund <
joakim.tjernlund@transmode.se> wrote:

> On Wed, 2015-06-10 at 18:48 +0000, Robin H. Johnson wrote:
> > On Wed, Jun 10, 2015 at 04:44:17PM +0000, Joakim Tjernlund wrote:
> > > I wonder if it would be possible to use the script from
> sys-apps/getent(included below)
> > > to impl. getent in user.eclass instead of using glibc's getent? I
> > > cannot see any downside, is there one?
> > >
> > > This would help a lot(just seed your groups/users is in
> ROOT/etc/{passwd,group ...} first)
> > > when cross building or ROOT != / as it would be trivial for the script
> to respect ROOT/EPREFIX
> > This would totally break when those services come from an NSS provider
> > other than files or compat.
>
> But does user.eclass support anything but local system users ?
>

https://github.com/google/nsscache for example.

They are still 'local', but not via files or compat ;0)

-A


>
> >
> > There was a non-upstream patch to support NSS on non-root filesystems,
> > which would probably help a lot more; I haven't seen that original patch
> > in a while, so here's a very quick and completely untested
> > re-implementation of it.
> >
> > In your case, you probably should MAKE sure that regardless of the
> > system nsswitch settings, the NSS file provider gets used.
> >
> > Usage: NSS_FILES_ROOT=$ROOT/etc getent -s files passwd ...
> >
>
>

[-- Attachment #2: Type: text/html, Size: 2299 bytes --]