getgroups() reads through all group sources

  • 3479315
  • 22-Nov-2007
  • 27-Apr-2012

Environment

Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10 SP1

Situation

/etc/nsswitch.conf has been modified to get group information from more than one source, for example:

group: files [SUCCESS=return] ldap

However, despite the group of a user requested exists in /etc/group, the other source (LDAP, in this case) gets requested as well. This could lead to programs like id, which call getgroups(2), hang for quite a while if the LDAP server isn't ready, or programs that execute initgroups(3) to not start up correctly (for example, OpenLDAP itself.)

Resolution

Use [!NOTFOUND=return] instead of [SUCCESS=return] to stop accessing the following modules.

Additional Information

When looking for additional group ownership of a user, a SUCCESS status of a libnss_* module would stop the search as soon as one group is found in that module. However, additional groups may be present in the other modules, thus the module returns a different (undocumented) return code instead ofSUCCESSin this case. The negated NOTFOUND catches this reliably. Please note that all groups of a user must be specified completely in one of the sources, not spreaded among them, otherwise the user would have incomplete group ownerships.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.