X-Git-Url: https://ruderich.org/simon/gitweb/?p=nsscash%2Fnsscash.git;a=blobdiff_plain;f=README;h=fd18efbed2edbf750e6b05fcc1b744b72337eb93;hp=510ba33b02e7c51d43e19b8493e576e8a1ab2c24;hb=0cc987b1bcb7b16da4f46d84d216df3f6ef457e1;hpb=b8abeed6c7bddb9d9770f3be93dc41400354783b diff --git a/README b/README index 510ba33..fd18efb 100644 --- a/README +++ b/README @@ -19,16 +19,18 @@ lookups. To support quick lookups, in O(log n), the files utilize indices. Nsscash is very careful when deploying the changes: - All files are updated using the standard "write to temporary file", "sync", - "rename" steps which is atomic on UNIX file systems. + "rename" steps which is atomic on UNIX file systems. The indices are stored + in the same file preventing stale data during the update. - All errors cause an immediate abort ("fail fast") with a proper error message and a non-zero exit status. This prevents hiding possibly important errors. In addition all files are fetched first and then deployed to try to prevent inconsistent state if only one file can be downloaded. The state - file (containing last file modifications) is only updated when all - operations were successful. + file (containing last file modification and content hash) is only updated + when all operations were successful. - To prevent unexpected permissions, `nsscash` does not create new files. The user must create them first and `nsscash` will then re-use the permissions - and owner/group when updating the file (see examples below). + (without the write bits to discourage manual modifications) and owner/group + when updating the file (see examples below). - To prevent misconfigurations, empty files (no users/groups) are not permitted and will not be written to disk. This is designed to prevent the accidental loss of all users/groups on a system. @@ -42,6 +44,9 @@ The passwd/group files have the following size restrictions: - `nsscash` checks for these restrictions and aborts with an error if they are violated +nsscash has an extensive test suite for both the Go and C part testing general +requirements and various corner cases. + nsscash is licensed under AGPL version 3 or later. [1] https://github.com/google/nsscache @@ -54,8 +59,10 @@ nsscash is licensed under AGPL version 3 or later. - github.com/BurntSushi/toml - C compiler, for `libnss_cash.so.2` -Tested on Debian Stretch and Buster, but should work on any GNU/Linux system. -With adapations to the NSS module it should work on any UNIX-like system which +- HTTP(S) server to provide the passwd/group/etc. files + +Tested on Debian Buster, but should work on any GNU/Linux system. With +adaptations to the NSS module it should work on any UNIX-like system which uses NSS. @@ -127,9 +134,11 @@ typical configuration looks like this: The following global keys are available: -- `statepath`: Path to a JSON file which stores the last modification time of - each file; automatically updated by `nsscash`. Used to fetch data only when - something has changed to reduce the required traffic. +- `statepath`: Path to a JSON file which stores the last modification time and + hash of each file; automatically updated by `nsscash`. Used to fetch data + only when something has changed to reduce the required traffic, via + `If-Modified-Since`. When the hash of a file has changed the download is + forced. Each `file` block describes a single file to download/write. The following keys are available: @@ -139,11 +148,19 @@ keys are available: `plain` (arbitrary format). Only `passwd` and `group` files are supported by the nsscash NSS module. But, as explained above, `plain` can be used to distribute arbitrary files. The type is required as the `.nsscash` files are - pre processed for faster lookups and simpler code which requires a known + pre processed for faster lookups and simpler C code which requires a known format. - `url`: URL to fetch the file from; HTTP and HTTPS are supported +- `ca`: Path to a custom CA in PEM format. Restricts HTTPS requests to accept + only certificates signed by this CA. Defaults to the system's certificate + store when omitted. (optional) + +- `username`/`password`: Username and password sent via HTTP Basic-Auth to the + webserver. The configuration file must not be readable by other users when + this is used. (optional) + - `path`: Path to store the retrieved file