Software
skarnet.org

nsss

What is it ?

nsss is an implementation of a subset of the pwd.h, grp.h and shadow.h family of functions, performing user database access on Unix systems.

Usually, user database access via getpwnam() and similar function is provided by the system's libc. However, not all libcs implement a configurable backend for the user/group database. For instance the musl libc, on Linux, only supports the standard /etc/passwd mechanism; it also supports the nscd protocol but this is not quite enough:

• musl only connects to nscd when it cannot find an answer in its files backend
• The nscd protocol does not support enumeration, so primitives such as getpwent() cannot be implemented over nscd.

The mechanism used by glibc, called Name Service Switch (abbreviated to nsswitch or NSS), has its own set of issues that makes it unsuitable in certain situations.

nsss is a secure implementation of a "name service switch": configurable user/group/shadow database access, providing getpwnam() et al. functionality by communicating over a Unix domain socket with a daemon; the daemon can perform lookups in any database it chooses.

nsss does not perform dynamic module loading, only adds a small footprint to the application's binary, and does not add any complex decision engine into the client's address space. Applications can be statically linked against the nsss library, and still benefit from configurable user database access functions.

---

• The problem with nsswitch
• An overview of nsss

---

Installation

Requirements

• A POSIX-compliant system with a standard C development environment
• GNU make, version 3.81 or later
• skalibs version 2.15.0.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the skalibs library.
• s6 version 2.15.0.0 or later. It's a run-time requirement only, to run the nsssd service (and can be done without if you have a suitable replacement for s6-ipcserver).

Licensing

nsss is free software. It is available under the ISC license.

Download

• The current released version of nsss is 0.2.1.2. You can access its checksum here.
• Alternatively, you can checkout a copy of the nsss git repository:

   git clone git://git.skarnet.org/nsss 

• There's also a Codeberg mirror, or a GitHub mirror, or a SourceHut mirror of the nsss git repository.

Compilation

• See the enclosed INSTALL file for installation details.

Upgrade notes

• This page lists the differences to be aware of between the previous versions of nsss and the current one.

---

Reference

Commands

The following commands are not meant to be directly invoked on the command-line. They are meant to be used behind a Unix domain socket super-server such as s6-ipcserver in order to provide a local service. Depending on the chosen command, the service will provide a different backend to the name service.

• The nsssd-unix program
• The nsssd-nslcd program
• The nsssd-switch program

Future versions of nsss will come with more backends.

Libraries

• The nsss library interface, which applications use. A client application using one of the following primitives will automatically perform libnsss calls:
  • endpwent()
  • setpwent()
  • getpwent()
  • getpwent_r()
  • getpwuid()
  • getpwuid_r()
  • getpwnam()
  • getpwnam_r()
  • endgrent()
  • setgrent()
  • getgrent()
  • getgrent_r()
  • getgrgid()
  • getgrgid_r()
  • getgrnam()
  • getgrnam_r()
  • getgrouplist()
  • endspent()
  • setspent()
  • getspent()
  • getspent_r()
  • getspnam()
  • getspnam_r()
• The nsssd library interface, which can be used to write additional backends.

---

Related resources

nsss discussion

• nsss is discussed on the skaware mailing-list.