From owner-freebsd-hackers@FreeBSD.ORG Thu Nov 3 14:02:30 2005 Return-Path: X-Original-To: hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E15C516A41F; Thu, 3 Nov 2005 14:02:29 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-3-1-cust208.cdif.cable.ntl.com [82.31.78.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B0B443D5C; Thu, 3 Nov 2005 14:02:25 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.54 (FreeBSD)) id 1EXffZ-00082v-7Y; Thu, 03 Nov 2005 14:02:21 +0000 Date: Thu, 3 Nov 2005 14:02:21 +0000 From: Ceri Davies To: Michael Bushkov Message-ID: <20051103140221.GF29387@submonkey.net> Mail-Followup-To: Ceri Davies , Michael Bushkov , Brooks Davis , hackers@FreeBSD.org, current@FreeBSD.org References: <20051102001507.GB14638@odin.ac.hmc.edu> <20051103124027.GE29387@submonkey.net> <436A0C73.3010405@rsu.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TYoqghpzCwoKvQG2" Content-Disposition: inline In-Reply-To: <436A0C73.3010405@rsu.ru> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.11 Sender: Ceri Davies Cc: hackers@FreeBSD.org, current@FreeBSD.org Subject: Re: nsswitch reviewer wanted X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2005 14:02:30 -0000 --TYoqghpzCwoKvQG2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Michael, On Thu, Nov 03, 2005 at 04:11:15PM +0300, Michael Bushkov wrote: > Ceri Davies wrote: >=20 > >I realise that you weren't asking for comments, but I took a quick look > >at http://www.rsu.ru/~bushman/nsswitch_cached/nss_cached.patch and have > >some. I'll send this to the original lists too. > > Thanks for comments! I need them much. Glad to be of some help. Don't take anything I say as any kind of authority though. > >o There aren't nearly enough comments. Granted, I'm not a C aficionado, > > but it's ~ line 3200 of that patch before we come to a new non-trivial > > comment, and there aren't many after that. > > > Ok - I'll comment the code. Thanks. > >o cached/config.c has magic numbers in create_def_configuration_entry(), > > which probably belong as #defines in config.h instead. I'm not sure > > what style(9) says about that though, so am happy to be ignored. > > > Yes, that's right - I guess, the most correct way is to move them to=20 > config.h As I mentioned, I'm no guru, but that seems to be conventional. > >o There is a single mention of a ssh_hostkeys cache in > > include/nsswitch.h, and no code to implement it. > > > I've implemented the patch for OpenSSH, which allows it to use nsswitch= =20 > for the hostkeys. It should be committed by the OpenSSH team. That's why= =20 > the ssh_hostkeys cache is mentioned in the nsswitch.h. This line can=20 > easialy be removed - as it doesn't affect anything. I hadn't realised that. I'd be interested to see that patch if you still have a copy, as it would answer the question of how much work doing such a thing would be. So far as I'm concerned there is no issue leaving that in there, I just wanted to make sure that it hadn't slipped in by mistake. > >o On line 15448, there is a whitespace nit. Also, in this area, are we > > sure that there is no benefit in continuing to key by euid/egid if > > perform_actual_lookup is enabled; can we send the euid/egid with the > > lookup request? > > > You are talking about passing euid/egid to the underlying nsswitch=20 > modules, right? This will require significant changes in these modules,= =20 > and, as far as I'm converned, won't gain us any benefits. >=20 > I can't see any benefit of keying by euid/egud when the=20 > 'perform_actual_lookups' mode is enabled. By ignoring them, we make the= =20 > cache common for all users, and no user can poison it - because all=20 > requests are made solely by ourselves. If we won't ignore the euid/egid,= =20 > then for every user, we'll have to make similar requests, this will also= =20 > affect the cache size. > When perform_actual_lookups mode is off, cache should be certainly=20 > separated by eud/egid for (basically) security reasons. OK, that's an good enough explanation for me. Thanks. > >o A user should be able to invalidate one of their caches (e.g., > > "cached -i hosts" to flush their hosts cache). Root should be able > > to do it for all users with a single command (e.g., "cached -I hosts" > > to flush all hosts caches). > > > Ok - I'll do that. Superb! > >o The manual for cached.conf is unclear over whether it's OK to name > > an "unknown" cache in cached.conf. > > > I'll corect this. In fact, it's ok to do that. I thought that was the intended meaning. That's great. > >o The location of cached.conf is defaulted to /usr/local/etc in > > cached/cached.c and should be changed on commit. > > > Will be corrected. Cool. Thanks again for working on this. Ceri --=20 Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -- Einstein (attrib.) --TYoqghpzCwoKvQG2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDahhsocfcwTS3JF8RAp9mAJ9LXX2xeqhRiRcQry9t/wkZaHLxXQCeJ+S1 w1i53+FbA0vZ3qBsiHfEAVs= =X2nz -----END PGP SIGNATURE----- --TYoqghpzCwoKvQG2--