This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [SSSD] [RFC][PATCH] Add new getgrgid2(), getgrnam2() interfacesto glibc
On Tue, 19 Oct 2010 09:59:21 -0400
Stephen Gallagher <sgallagh@redhat.com> wrote:
> My main concern with adding a new interface would be buy-in from all
> of the assorted name-service providers (nss_nis, nss_ldap, etc.).
> Lets be honest: even if we created this new interface, the most
> likely outcome is that the libraries are just going to continue
> processing the way that they do already, and then just reply with a
> limited subset of the results.
The main concern here I think is that of making a substantial effort to
change a lot of applications to use an interface that is only
marginally better for just one use case. I am not sure it is worth the
effort given the very meager gains you get.
> Creating the groups in our SSSD cache without including membership
> information introduces integrity issues when we're dealing with
> offline operation, for example. If access control for some
> application relies on group membership, but our cache only has
> reference to the group and its GID, without a list of members, then
> when we're offline and can't request further information, we'll
> improperly deny access.
This shouldn't be a real problem, as all group memberships relevant to
logged in users must be fetched at login time. And only users that
previously logged in are allowed to login again or keep stay logged
when offline.
Simo.
--
Simo Sorce * Red Hat, Inc * New York