nsss
Software
skarnet.org

The nsssd-unix program

nsssd-unix is a daemon providing a backend for clients using the nsss library - more precisely, clients using the nsss-all or the nsss-switch functions.

The nsssd-unix backend is a simple one. It simply fetches user/group/shadow information from the /etc/passwd, /etc/group and /etc/shadow files. The same information can be directly obtained by a client if it uses the nsss-unix functions, without the overhead of going through an independent process. However, setting up a nsssd-unix service can still be useful:

nsssd-unix is not meant to be called directly; instead, it is expected to be run from a script as a part of a "nsssd" local service.

The examples/ subdirectory of the nsss package provides examples on how to run such a service. The simplest way to do so, for testing purposes, is a command line such as:

s6-ipcserver -l0 /run/service/nsssd/s nsssd-unix

/run/service/nsssd/s is the default place where nsss's implementation of the pwd.h, grp.h and shadow.h functions expects the nsssd service to be. It can be changed at nsss build time by giving the --with-nsssd-socket=PATH option to configure.

nsssd-unix does not listen to the socket itself: it reads from its standard input and writes to its standard output. It relies on a superserver such as s6-ipcserver to manage connections to the socket. An instance of nsssd-unix is run for every client connection.

If fine-grained authorizations are required (only allowing certain users and groups to connect to the service), the superserver can be configured to enforce them.

nsssd-unix does not need to run as root, provided it can read the files database. It is recommended to create a nsss user and group, dedicated to the nsssd service, and run the superserver as this user and group.