Nsscash is very careful when deploying the changes:
- All files are updated using the standard "write to temporary file", "sync",
- "rename" steps which is atomic on UNIX file systems.
+ "rename" steps which is atomic on UNIX file systems. The indices are stored
+ in the same file preventing stale data during the update.
- All errors cause an immediate abort ("fail fast") with a proper error
message and a non-zero exit status. This prevents hiding possibly important
errors. In addition all files are fetched first and then deployed to try to
when all operations were successful.
- To prevent unexpected permissions, `nsscash` does not create new files. The
user must create them first and `nsscash` will then re-use the permissions
- (without the write bits) and owner/group when updating the file (see
- examples below).
+ (without the write bits to discourage manual modifications) and owner/group
+ when updating the file (see examples below).
- To prevent misconfigurations, empty files (no users/groups) are not
permitted and will not be written to disk. This is designed to prevent the
accidental loss of all users/groups on a system.
- `nsscash` checks for these restrictions and aborts with an error if they are
violated
+nsscash has an extensive test suite for both the Go and C part testing general
+requirements and various corner cases.
+
nsscash is licensed under AGPL version 3 or later.
[1] https://github.com/google/nsscache
- github.com/BurntSushi/toml
- C compiler, for `libnss_cash.so.2`
-Tested on Debian Stretch and Buster, but should work on any GNU/Linux system.
-With adapations to the NSS module it should work on any UNIX-like system which
+- HTTP(S) server to provide the passwd/group/etc. files
+
+Tested on Debian Buster, but should work on any GNU/Linux system. With
+adaptations to the NSS module it should work on any UNIX-like system which
uses NSS.
`plain` (arbitrary format). Only `passwd` and `group` files are supported by
the nsscash NSS module. But, as explained above, `plain` can be used to
distribute arbitrary files. The type is required as the `.nsscash` files are
- pre processed for faster lookups and simpler code which requires a known
+ pre processed for faster lookups and simpler C code which requires a known
format.
- `url`: URL to fetch the file from; HTTP and HTTPS are supported
+- `ca`: Path to a custom CA in PEM format. Restricts HTTPS requests to accept
+ only certificates signed by this CA. Defaults to the system's certificate
+ store when omitted. (optional)
+
+- `username`/`password`: Username and password sent via HTTP Basic-Auth to the
+ webserver. The configuration file must not be readable by other users when
+ this is used. (optional)
+
- `path`: Path to store the retrieved file