X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=README;h=fd18efbed2edbf750e6b05fcc1b744b72337eb93;hb=0cc987b1bcb7b16da4f46d84d216df3f6ef457e1;hp=ee1088a4391d6f358ba4664e19bd546fa86b9932;hpb=8e30fc811afc50bfdb00e366cb1ac00e186b0511;p=nsscash%2Fnsscash.git diff --git a/README b/README index ee1088a..fd18efb 100644 --- a/README +++ b/README @@ -19,7 +19,8 @@ lookups. To support quick lookups, in O(log n), the files utilize indices. Nsscash is very careful when deploying the changes: - All files are updated using the standard "write to temporary file", "sync", - "rename" steps which is atomic on UNIX file systems. + "rename" steps which is atomic on UNIX file systems. The indices are stored + in the same file preventing stale data during the update. - All errors cause an immediate abort ("fail fast") with a proper error message and a non-zero exit status. This prevents hiding possibly important errors. In addition all files are fetched first and then deployed to try to @@ -28,8 +29,8 @@ Nsscash is very careful when deploying the changes: when all operations were successful. - To prevent unexpected permissions, `nsscash` does not create new files. The user must create them first and `nsscash` will then re-use the permissions - (without the write bits) and owner/group when updating the file (see - examples below). + (without the write bits to discourage manual modifications) and owner/group + when updating the file (see examples below). - To prevent misconfigurations, empty files (no users/groups) are not permitted and will not be written to disk. This is designed to prevent the accidental loss of all users/groups on a system. @@ -43,6 +44,9 @@ The passwd/group files have the following size restrictions: - `nsscash` checks for these restrictions and aborts with an error if they are violated +nsscash has an extensive test suite for both the Go and C part testing general +requirements and various corner cases. + nsscash is licensed under AGPL version 3 or later. [1] https://github.com/google/nsscache @@ -55,8 +59,10 @@ nsscash is licensed under AGPL version 3 or later. - github.com/BurntSushi/toml - C compiler, for `libnss_cash.so.2` -Tested on Debian Stretch and Buster, but should work on any GNU/Linux system. -With adapations to the NSS module it should work on any UNIX-like system which +- HTTP(S) server to provide the passwd/group/etc. files + +Tested on Debian Buster, but should work on any GNU/Linux system. With +adaptations to the NSS module it should work on any UNIX-like system which uses NSS. @@ -142,11 +148,19 @@ keys are available: `plain` (arbitrary format). Only `passwd` and `group` files are supported by the nsscash NSS module. But, as explained above, `plain` can be used to distribute arbitrary files. The type is required as the `.nsscash` files are - pre processed for faster lookups and simpler code which requires a known + pre processed for faster lookups and simpler C code which requires a known format. - `url`: URL to fetch the file from; HTTP and HTTPS are supported +- `ca`: Path to a custom CA in PEM format. Restricts HTTPS requests to accept + only certificates signed by this CA. Defaults to the system's certificate + store when omitted. (optional) + +- `username`/`password`: Username and password sent via HTTP Basic-Auth to the + webserver. The configuration file must not be readable by other users when + this is used. (optional) + - `path`: Path to store the retrieved file