1 This is nss_nonlocal, an nsswitch module that acts as a proxy for other
2 nsswitch modules like hesiod, but prevents non-local users from
3 potentially gaining local privileges by spoofing local UIDs and GIDs.
5 To use it, configure /etc/nsswitch.conf as follows:
7 passwd: compat nonlocal
8 passwd_nonlocal: hesiod
10 group_nonlocal: hesiod
12 The module also assigns special properties to two local groups and one
13 local user, if they exist:
15 • If the local group ‘nss-nonlocal-users’ exists, then nonlocal users
16 will be automatically added to it. Furthermore, if a local user is
17 added to this group, then that user will inherit any nonlocal gids
18 from a nonlocal user of the same name, as supplementary gids.
20 • If the local group ‘nss-local-users’ exists, then local users will
21 be automatically added to it.
23 • If the local user ‘nss-nonlocal-users’ is added to a local group,
24 then the local group will inherit the nonlocal membership of a group
27 Copyright © 2007–2010 Anders Kaseorg <andersk@mit.edu> and Tim Abbott
30 nss_nonlocal is free software; you can redistribute it and/or modify
31 it under the terms of the GNU Lesser General Public License as
32 published by the Free Software Foundation; either version 2.1 of the
33 License, or (at your option) any later version.
35 nss_nonlocal is distributed in the hope that it will be useful, but
36 WITHOUT ANY WARRANTY; without even the implied warranty of
37 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
38 Lesser General Public License for more details.
40 You should have received a copy of the GNU Lesser General Public
41 License along with nss_nonlocal; if not, write to the Free Software
42 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA