[nss_nonlocal.git] / README

This is nss_nonlocal, an nsswitch module that acts as a proxy for other 
nsswitch modules like hesiod, but prevents non-local users from 
potentially gaining local privileges by spoofing local UIDs and GIDs.

To use it, configure /etc/nsswitch.conf as follows:

passwd:         compat nonlocal
passwd_nonlocal: hesiod
group:          compat nonlocal
group_nonlocal: hesiod

The module also assigns special properties to two local groups, if
they exist:

• If the local group ‘nss-nonlocal-users’ exists, then nonlocal users
  will be automatically added to it.  Furthermore, if a local user is
  added to this group, then that user will inherit any nonlocal gids
  from a nonlocal user of the same name, as supplementary gids.

• If the local group ‘nss-local-users’ exists, then local users will
  be automatically added to it.

Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
<tabbott@mit.edu>

nss_nonlocal is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.

nss_nonlocal is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with nss_nonlocal; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301  USA
Commit	Line	Data
f6903667 AK	1	This is nss_nonlocal, an nsswitch module that acts as a proxy for other
	2	nsswitch modules like hesiod, but prevents non-local users from
	3	potentially gaining local privileges by spoofing local UIDs and GIDs.
	4
	5	To use it, configure /etc/nsswitch.conf as follows:
	6
	7	passwd: compat nonlocal
	8	passwd_nonlocal: hesiod
	9	group: compat nonlocal
	10	group_nonlocal: hesiod
96a1ee0f	11
6ca16423 AK	12	The module also assigns special properties to two local groups, if
	13	they exist:
	14
	15	• If the local group ‘nss-nonlocal-users’ exists, then nonlocal users
34cfeb28	16	will be automatically added to it. Furthermore, if a local user is
775f7dc3 AK	17	added to this group, then that user will inherit any nonlocal gids
775f7dc3 AK	18	from a nonlocal user of the same name, as supplementary gids.
6ca16423 AK	19
	20	• If the local group ‘nss-local-users’ exists, then local users will
	21	be automatically added to it.
	22
96a1ee0f AK	23	Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
	24	<tabbott@mit.edu>
	25
	26	nss_nonlocal is free software; you can redistribute it and/or modify
	27	it under the terms of the GNU Lesser General Public License as
	28	published by the Free Software Foundation; either version 2.1 of the
	29	License, or (at your option) any later version.
	30
	31	nss_nonlocal is distributed in the hope that it will be useful, but
	32	WITHOUT ANY WARRANTY; without even the implied warranty of
	33	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	34	Lesser General Public License for more details.
	35
	36	You should have received a copy of the GNU Lesser General Public
	37	License along with nss_nonlocal; if not, write to the Free Software
	38	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	39	02110-1301 USA