https://bugzilla.redhat.com/show_bug.cgi?id=751450 also refers. And https://bugzilla.redhat.com/show_bug.cgi?id=835612 and https://bugzilla.redhat.com/show_bug.cgi?id=1366569. So hotly debated topic. initgroups was recenly introduced into the Gentoo /etc/nsswitch.conf as well (or only recently saw it) and bit into the same issue. So basically I auto-modify /etc/nsswitch for passwd and groups to add additional interfaces. With a commented initgroups the behaviour is sane (in my opinion/testing). I can modify the initgroups line additionally as well to also include the other lookup options (and I've done that, but contemplating switching to just commenting it instead since it's now two lines that needs to be kept in sync). My feeling is that it's probably best to leave it commented by default, along with an explanation perhaps of when it would be useful. The default behaviour when it's commented out seems identical for the default case. I'm sure there is some use-case where it may make sense, eg, if initgroups should only initialize some of the groups to which a user belongs - I just for the life of me can't think of such an example. Would like to know if there is a use-case for an explicit initgroups that makes sense, and if we want to have this enabled by default.
Gentoo used to have very old nsswitch.conf. Now we just use default nsswitch.conf from upstream package: https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nsswitch.conf;h=39ca88bf5198df2bfa8f4a2e4bf631f3baee16c0;hb=HEAD I failed to find upstream bug report in the issues you have linked. Can you file the upstream bug report and explain your use case and desired changes? https://sourceware.org/bugzilla/ (glibc component) I would prefer to use upstream's nsswitch.conf
Hi. I agree with using upstream nsswitch.conf as far as possible. I haven't filed a bug with the project itself. Was first looking to gain understanding and confirm Gentoo's stance. It seems the stance is "we want to use upstream but will deviate if required". So let me try again: With a defined initgroups in /etc/nsswitch.conf there is a counter-intuitive behaviour where iterating through all system groups manually doesn't always align with what is obtained from initgroups(3). For example: group: db files mysql initgroups: db [SUCCESS=continue] files Note: mismatch of the modules with group and initgroups, this results in: arthur ~ # id admin uid=1002(admin) gid=100(users) groups=100(users),115(ulsreport) arthur ~ # getent group | grep admin ulsreport:x:115:admin sshusers:x:1001:admin Commenting the initgroups line: arthur ~ # id admin uid=1002(admin) gid=100(users) groups=100(users),115(ulsreport),1001(sshusers) Or updating initgroups to "db [SUCCESS=continue] files mysql" arthur ~ # id admin uid=1002(admin) gid=100(users) groups=100(users),115(ulsreport) Oops, that should be "db [SUCCESS=continue] files [SUCCESS=continue] mysql" arthur ~ # id admin uid=1002(admin) gid=100(users) groups=100(users),115(ulsreport),1001(sshusers) My point being that's now two things to keep in sync when the default with a commented initgroups works adequately. My script now comments initgroups standard, was just caought off guard by the change, just hoping to avoid same for someone else.
RHEL itself also having issues with this. I again request if we can please take action to comment initgroups in /etc/nsswitch.conf by default please. https://bugzilla.redhat.com/show_bug.cgi?id=751450
Can you file the upstream bug report and explain your use case and desired changes? https://sourceware.org/bugzilla/ (glibc component)