nss.texi 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744
  1. @node Name Service Switch, Users and Groups, Job Control, Top
  2. @chapter System Databases and Name Service Switch
  3. @c %MENU% Accessing system databases
  4. @cindex Name Service Switch
  5. @cindex NSS
  6. @cindex databases
  7. Various functions in the C Library need to be configured to work
  8. correctly in the local environment. Traditionally, this was done by
  9. using files (e.g., @file{/etc/passwd}), but other nameservices (like the
  10. Network Information Service (NIS) and the Domain Name Service (DNS))
  11. became popular, and were hacked into the C library, usually with a fixed
  12. search order.
  13. @Theglibc{} contains a cleaner solution to this problem. It is
  14. designed after a method used by Sun Microsystems in the C library of
  15. @w{Solaris 2}. @Theglibc{} follows their name and calls this
  16. scheme @dfn{Name Service Switch} (NSS).
  17. Though the interface might be similar to Sun's version there is no
  18. common code. We never saw any source code of Sun's implementation and
  19. so the internal interface is incompatible. This also manifests in the
  20. file names we use as we will see later.
  21. @menu
  22. * NSS Basics:: What is this NSS good for.
  23. * NSS Configuration File:: Configuring NSS.
  24. * NSS Module Internals:: How does it work internally.
  25. * Extending NSS:: What to do to add services or databases.
  26. @end menu
  27. @node NSS Basics, NSS Configuration File, Name Service Switch, Name Service Switch
  28. @section NSS Basics
  29. The basic idea is to put the implementation of the different services
  30. offered to access the databases in separate modules. This has some
  31. advantages:
  32. @enumerate
  33. @item
  34. Contributors can add new services without adding them to @theglibc{}.
  35. @item
  36. The modules can be updated separately.
  37. @item
  38. The C library image is smaller.
  39. @end enumerate
  40. To fulfill the first goal above, the ABI of the modules will be described
  41. below. For getting the implementation of a new service right it is
  42. important to understand how the functions in the modules get called.
  43. They are in no way designed to be used by the programmer directly.
  44. Instead the programmer should only use the documented and standardized
  45. functions to access the databases.
  46. @noindent
  47. The databases available in the NSS are
  48. @cindex aliases
  49. @cindex ethers
  50. @cindex group
  51. @cindex gshadow
  52. @cindex hosts
  53. @cindex initgroups
  54. @cindex netgroup
  55. @cindex networks
  56. @cindex passwd
  57. @cindex protocols
  58. @cindex publickey
  59. @cindex rpc
  60. @cindex services
  61. @cindex shadow
  62. @table @code
  63. @item aliases
  64. Mail aliases
  65. @comment @pxref{Mail Aliases}.
  66. @item ethers
  67. Ethernet numbers,
  68. @comment @pxref{Ethernet Numbers}.
  69. @item group
  70. Groups of users, @pxref{Group Database}.
  71. @item gshadow
  72. Group passphrase hashes and related information.
  73. @item hosts
  74. Host names and numbers, @pxref{Host Names}.
  75. @item initgroups
  76. Supplementary group access list.
  77. @item netgroup
  78. Network wide list of host and users, @pxref{Netgroup Database}.
  79. @item networks
  80. Network names and numbers, @pxref{Networks Database}.
  81. @item passwd
  82. User identities, @pxref{User Database}.
  83. @item protocols
  84. Network protocols, @pxref{Protocols Database}.
  85. @item publickey
  86. Public keys for Secure RPC.
  87. @item rpc
  88. Remote procedure call names and numbers.
  89. @comment @pxref{RPC Database}.
  90. @item services
  91. Network services, @pxref{Services Database}.
  92. @item shadow
  93. User passphrase hashes and related information.
  94. @comment @pxref{Shadow Passphrase Database}.
  95. @end table
  96. @noindent
  97. @c We currently don't implement automount, netmasks, or bootparams.
  98. More databases may be added later.
  99. @node NSS Configuration File, NSS Module Internals, NSS Basics, Name Service Switch
  100. @section The NSS Configuration File
  101. @cindex @file{/etc/nsswitch.conf}
  102. @cindex @file{nsswitch.conf}
  103. Somehow the NSS code must be told about the wishes of the user. For
  104. this reason there is the file @file{/etc/nsswitch.conf}. For each
  105. database, this file contains a specification of how the lookup process should
  106. work. The file could look like this:
  107. @example
  108. @include nsswitch.texi
  109. @end example
  110. The first column is the database as you can guess from the table above.
  111. The rest of the line specifies how the lookup process works. Please
  112. note that you specify the way it works for each database individually.
  113. This cannot be done with the old way of a monolithic implementation.
  114. The configuration specification for each database can contain two
  115. different items:
  116. @itemize @bullet
  117. @item
  118. the service specification like @code{files}, @code{db}, or @code{nis}.
  119. @item
  120. the reaction on lookup result like @code{[NOTFOUND=return]}.
  121. @end itemize
  122. @menu
  123. * Services in the NSS configuration:: Service names in the NSS configuration.
  124. * Actions in the NSS configuration:: React appropriately to the lookup result.
  125. * Notes on NSS Configuration File:: Things to take care about while
  126. configuring NSS.
  127. @end menu
  128. @node Services in the NSS configuration, Actions in the NSS configuration, NSS Configuration File, NSS Configuration File
  129. @subsection Services in the NSS configuration File
  130. The above example file mentions five different services: @code{files},
  131. @code{db}, @code{dns}, @code{nis}, and @code{nisplus}. This does not
  132. mean these
  133. services are available on all sites and neither does it mean these are
  134. all the services which will ever be available.
  135. In fact, these names are simply strings which the NSS code uses to find
  136. the implicitly addressed functions. The internal interface will be
  137. described later. Visible to the user are the modules which implement an
  138. individual service.
  139. Assume the service @var{name} shall be used for a lookup. The code for
  140. this service is implemented in a module called @file{libnss_@var{name}}.
  141. On a system supporting shared libraries this is in fact a shared library
  142. with the name (for example) @file{libnss_@var{name}.so.2}. The number
  143. at the end is the currently used version of the interface which will not
  144. change frequently. Normally the user should not have to be cognizant of
  145. these files since they should be placed in a directory where they are
  146. found automatically. Only the names of all available services are
  147. important.
  148. Lastly, some system software may make use of the NSS configuration file
  149. to store their own configuration for similar purposes. Examples of this
  150. include the @code{automount} service which is used by @code{autofs}.
  151. @node Actions in the NSS configuration, Notes on NSS Configuration File, Services in the NSS configuration, NSS Configuration File
  152. @subsection Actions in the NSS configuration
  153. The second item in the specification gives the user much finer control
  154. on the lookup process. Action items are placed between two service
  155. names and are written within brackets. The general form is
  156. @display
  157. @code{[} ( @code{!}? @var{status} @code{=} @var{action} )+ @code{]}
  158. @end display
  159. @noindent
  160. where
  161. @smallexample
  162. @var{status} @result{} success | notfound | unavail | tryagain
  163. @var{action} @result{} return | continue
  164. @end smallexample
  165. The case of the keywords is insignificant. The @var{status}
  166. values are the results of a call to a lookup function of a specific
  167. service. They mean:
  168. @ftable @samp
  169. @item success
  170. No error occurred and the wanted entry is returned. The default action
  171. for this is @code{return}.
  172. @item notfound
  173. The lookup process works ok but the needed value was not found. The
  174. default action is @code{continue}.
  175. @item unavail
  176. @cindex DNS server unavailable
  177. The service is permanently unavailable. This can either mean the needed
  178. file is not available, or, for DNS, the server is not available or does
  179. not allow queries. The default action is @code{continue}.
  180. @item tryagain
  181. The service is temporarily unavailable. This could mean a file is
  182. locked or a server currently cannot accept more connections. The
  183. default action is @code{continue}.
  184. @end ftable
  185. @noindent
  186. The @var{action} values mean:
  187. @ftable @samp
  188. @item return
  189. If the status matches, stop the lookup process at this service
  190. specification. If an entry is available, provide it to the application.
  191. If an error occurred, report it to the application. In case of a prior
  192. @samp{merge} action, the data is combined with previous lookup results,
  193. as explained below.
  194. @item continue
  195. If the status matches, proceed with the lookup process at the next
  196. entry, discarding the result of the current lookup (and any merged
  197. data). An exception is the @samp{initgroups} database and the
  198. @samp{success} status, where @samp{continue} acts like @code{merge}
  199. below.
  200. @item merge
  201. Proceed with the lookup process, retaining the current lookup result.
  202. This action is useful only with the @samp{success} status. If a
  203. subsequent service lookup succeeds and has a matching @samp{return}
  204. specification, the results are merged, the lookup process ends, and the
  205. merged results are returned to the application. If the following service
  206. has a matching @samp{merge} action, the lookup process continues,
  207. retaining the combined data from this and any previous lookups.
  208. After a @code{merge} action, errors from subsequent lookups are ignored,
  209. and the data gathered so far will be returned.
  210. The @samp{merge} only applies to the @samp{success} status. It is
  211. currently implemented for the @samp{group} database and its group
  212. members field, @samp{gr_mem}. If specified for other databases, it
  213. causes the lookup to fail (if the @var{status} matches).
  214. When processing @samp{merge} for @samp{group} membership, the group GID
  215. and name must be identical for both entries. If only one or the other is
  216. a match, the behavior is undefined.
  217. @end ftable
  218. @noindent
  219. If we have a line like
  220. @smallexample
  221. ethers: nisplus [NOTFOUND=return] db files
  222. @end smallexample
  223. @noindent
  224. this is equivalent to
  225. @smallexample
  226. ethers: nisplus [SUCCESS=return NOTFOUND=return UNAVAIL=continue
  227. TRYAGAIN=continue]
  228. db [SUCCESS=return NOTFOUND=continue UNAVAIL=continue
  229. TRYAGAIN=continue]
  230. files
  231. @end smallexample
  232. @noindent
  233. (except that it would have to be written on one line). The default
  234. value for the actions are normally what you want, and only need to be
  235. changed in exceptional cases.
  236. If the optional @code{!} is placed before the @var{status} this means
  237. the following action is used for all statuses but @var{status} itself.
  238. I.e., @code{!} is negation as in the C language (and others).
  239. Before we explain the exception which makes this action item necessary
  240. one more remark: obviously it makes no sense to add another action
  241. item after the @code{files} service. Since there is no other service
  242. following the action @emph{always} is @code{return}.
  243. @cindex nisplus, and completeness
  244. Now, why is this @code{[NOTFOUND=return]} action useful? To understand
  245. this we should know that the @code{nisplus} service is often
  246. complete; i.e., if an entry is not available in the NIS+ tables it is
  247. not available anywhere else. This is what is expressed by this action
  248. item: it is useless to examine further services since they will not give
  249. us a result.
  250. @cindex nisplus, and booting
  251. @cindex bootstrapping, and services
  252. The situation would be different if the NIS+ service is not available
  253. because the machine is booting. In this case the return value of the
  254. lookup function is not @code{notfound} but instead @code{unavail}. And
  255. as you can see in the complete form above: in this situation the
  256. @code{db} and @code{files} services are used. Neat, isn't it? The
  257. system administrator need not pay special care for the time the system
  258. is not completely ready to work (while booting or shutdown or
  259. network problems).
  260. @node Notes on NSS Configuration File, , Actions in the NSS configuration, NSS Configuration File
  261. @subsection Notes on the NSS Configuration File
  262. Finally a few more hints. The NSS implementation is not completely
  263. helpless if @file{/etc/nsswitch.conf} does not exist. For
  264. all supported databases there is a default value so it should normally
  265. be possible to get the system running even if the file is corrupted or
  266. missing.
  267. @cindex default value, and NSS
  268. For the @code{hosts} and @code{networks} databases the default value is
  269. @code{files dns}. I.e., local configuration will override the contents
  270. of the domain name system (DNS).
  271. The @code{passwd}, @code{group}, and @code{shadow} databases was
  272. traditionally handled in a special way. The appropriate files in the
  273. @file{/etc} directory were read but if an entry with a name starting
  274. with a @code{+} character was found NIS was used. This kind of lookup
  275. was removed and now the default value for the services is @code{files}.
  276. libnss_compat no longer depends on libnsl and can be used without NIS.
  277. For all other databases the default value is @code{files}.
  278. @cindex optimizing NSS
  279. A second point is that the user should try to optimize the lookup
  280. process. The different service have different response times.
  281. A simple file look up on a local file could be fast, but if the file
  282. is long and the needed entry is near the end of the file this may take
  283. quite some time. In this case it might be better to use the @code{db}
  284. service which allows fast local access to large data sets.
  285. Often the situation is that some global information like NIS must be
  286. used. So it is unavoidable to use service entries like @code{nis} etc.
  287. But one should avoid slow services like this if possible.
  288. @node NSS Module Internals, Extending NSS, NSS Configuration File, Name Service Switch
  289. @section NSS Module Internals
  290. Now it is time to describe what the modules look like. The functions
  291. contained in a module are identified by their names. I.e., there is no
  292. jump table or the like. How this is done is of no interest here; those
  293. interested in this topic should read about Dynamic Linking.
  294. @comment @ref{Dynamic Linking}.
  295. @menu
  296. * NSS Module Names:: Construction of the interface function of
  297. the NSS modules.
  298. * NSS Modules Interface:: Programming interface in the NSS module
  299. functions.
  300. @end menu
  301. @node NSS Module Names, NSS Modules Interface, NSS Module Internals, NSS Module Internals
  302. @subsection The Naming Scheme of the NSS Modules
  303. @noindent
  304. The name of each function consists of various parts:
  305. @quotation
  306. _nss_@var{service}_@var{function}
  307. @end quotation
  308. @var{service} of course corresponds to the name of the module this
  309. function is found in.@footnote{Now you might ask why this information is
  310. duplicated. The answer is that we want to make it possible to link
  311. directly with these shared objects.} The @var{function} part is derived
  312. from the interface function in the C library itself. If the user calls
  313. the function @code{gethostbyname} and the service used is @code{files}
  314. the function
  315. @smallexample
  316. _nss_files_gethostbyname_r
  317. @end smallexample
  318. @noindent
  319. in the module
  320. @smallexample
  321. libnss_files.so.2
  322. @end smallexample
  323. @noindent
  324. @cindex reentrant NSS functions
  325. is used. You see, what is explained above in not the whole truth. In
  326. fact the NSS modules only contain reentrant versions of the lookup
  327. functions. I.e., if the user would call the @code{gethostbyname_r}
  328. function this also would end in the above function. For all user
  329. interface functions the C library maps this call to a call to the
  330. reentrant function. For reentrant functions this is trivial since the
  331. interface is (nearly) the same. For the non-reentrant version the
  332. library keeps internal buffers which are used to replace the user
  333. supplied buffer.
  334. I.e., the reentrant functions @emph{can} have counterparts. No service
  335. module is forced to have functions for all databases and all kinds to
  336. access them. If a function is not available it is simply treated as if
  337. the function would return @code{unavail}
  338. (@pxref{Actions in the NSS configuration}).
  339. The file name @file{libnss_files.so.2} would be on a @w{Solaris 2}
  340. system @file{nss_files.so.2}. This is the difference mentioned above.
  341. Sun's NSS modules are usable as modules which get indirectly loaded
  342. only.
  343. The NSS modules in @theglibc{} are prepared to be used as normal
  344. libraries themselves. This is @emph{not} true at the moment, though.
  345. However, the organization of the name space in the modules does not make it
  346. impossible like it is for Solaris. Now you can see why the modules are
  347. still libraries.@footnote{There is a second explanation: we were too
  348. lazy to change the Makefiles to allow the generation of shared objects
  349. not starting with @file{lib} but don't tell this to anybody.}
  350. @node NSS Modules Interface, , NSS Module Names, NSS Module Internals
  351. @subsection The Interface of the Function in NSS Modules
  352. Now we know about the functions contained in the modules. It is now
  353. time to describe the types. When we mentioned the reentrant versions of
  354. the functions above, this means there are some additional arguments
  355. (compared with the standard, non-reentrant versions). The prototypes for
  356. the non-reentrant and reentrant versions of our function above are:
  357. @smallexample
  358. struct hostent *gethostbyname (const char *name)
  359. int gethostbyname_r (const char *name, struct hostent *result_buf,
  360. char *buf, size_t buflen, struct hostent **result,
  361. int *h_errnop)
  362. @end smallexample
  363. @noindent
  364. The actual prototype of the function in the NSS modules in this case is
  365. @smallexample
  366. enum nss_status _nss_files_gethostbyname_r (const char *name,
  367. struct hostent *result_buf,
  368. char *buf, size_t buflen,
  369. int *errnop, int *h_errnop)
  370. @end smallexample
  371. I.e., the interface function is in fact the reentrant function with the
  372. change of the return value, the omission of the @var{result} parameter,
  373. and the addition of the @var{errnop} parameter. While the user-level
  374. function returns a pointer to the result the reentrant function return
  375. an @code{enum nss_status} value:
  376. @vtable @code
  377. @item NSS_STATUS_TRYAGAIN
  378. numeric value @code{-2}
  379. @item NSS_STATUS_UNAVAIL
  380. numeric value @code{-1}
  381. @item NSS_STATUS_NOTFOUND
  382. numeric value @code{0}
  383. @item NSS_STATUS_SUCCESS
  384. numeric value @code{1}
  385. @end vtable
  386. @noindent
  387. Now you see where the action items of the @file{/etc/nsswitch.conf} file
  388. are used.
  389. If you study the source code you will find there is a fifth value:
  390. @code{NSS_STATUS_RETURN}. This is an internal use only value, used by a
  391. few functions in places where none of the above value can be used. If
  392. necessary the source code should be examined to learn about the details.
  393. In case the interface function has to return an error it is important
  394. that the correct error code is stored in @code{*@var{errnop}}. Some
  395. return status values have only one associated error code, others have
  396. more.
  397. @multitable @columnfractions .3 .2 .50
  398. @item
  399. @code{NSS_STATUS_TRYAGAIN} @tab
  400. @code{EAGAIN} @tab One of the functions used ran temporarily out of
  401. resources or a service is currently not available.
  402. @item
  403. @tab
  404. @code{ERANGE} @tab The provided buffer is not large enough.
  405. The function should be called again with a larger buffer.
  406. @item
  407. @code{NSS_STATUS_UNAVAIL} @tab
  408. @code{ENOENT} @tab A necessary input file cannot be found.
  409. @item
  410. @code{NSS_STATUS_NOTFOUND} @tab
  411. @code{ENOENT} @tab The requested entry is not available.
  412. @item
  413. @code{NSS_STATUS_NOTFOUND} @tab
  414. @code{SUCCESS} @tab There are no entries.
  415. Use this to avoid returning errors for inactive services which may
  416. be enabled at a later time. This is not the same as the service
  417. being temporarily unavailable.
  418. @end multitable
  419. These are proposed values. There can be other error codes and the
  420. described error codes can have different meaning. @strong{With one
  421. exception:} when returning @code{NSS_STATUS_TRYAGAIN} the error code
  422. @code{ERANGE} @emph{must} mean that the user provided buffer is too
  423. small. Everything else is non-critical.
  424. In statically linked programs, the main application and NSS modules do
  425. not share the same thread-local variable @code{errno}, which is the
  426. reason why there is an explicit @var{errnop} function argument.
  427. The above function has something special which is missing for almost all
  428. the other module functions. There is an argument @var{h_errnop}. This
  429. points to a variable which will be filled with the error code in case
  430. the execution of the function fails for some reason. (In statically
  431. linked programs, the thread-local variable @code{h_errno} is not shared
  432. with the main application.)
  433. The @code{get@var{XXX}by@var{YYY}} functions are the most important
  434. functions in the NSS modules. But there are others which implement
  435. the other ways to access system databases (say for the
  436. user database, there are @code{setpwent}, @code{getpwent}, and
  437. @code{endpwent}). These will be described in more detail later.
  438. Here we give a general way to determine the
  439. signature of the module function:
  440. @itemize @bullet
  441. @item
  442. the return value is @code{enum nss_status};
  443. @item
  444. the name (@pxref{NSS Module Names});
  445. @item
  446. the first arguments are identical to the arguments of the non-reentrant
  447. function;
  448. @item
  449. the next four arguments are:
  450. @table @code
  451. @item STRUCT_TYPE *result_buf
  452. pointer to buffer where the result is stored. @code{STRUCT_TYPE} is
  453. normally a struct which corresponds to the database.
  454. @item char *buffer
  455. pointer to a buffer where the function can store additional data for
  456. the result etc.
  457. @item size_t buflen
  458. length of the buffer pointed to by @var{buffer}.
  459. @item int *errnop
  460. the low-level error code to return to the application. If the return
  461. value is not @code{NSS_STATUS_SUCCESS}, @code{*@var{errnop}} needs to be
  462. set to a non-zero value. An NSS module should never set
  463. @code{*@var{errnop}} to zero. The value @code{ERANGE} is special, as
  464. described above.
  465. @end table
  466. @item
  467. possibly a last argument @var{h_errnop}, for the host name and network
  468. name lookup functions. If the return value is not
  469. @code{NSS_STATUS_SUCCESS}, @code{*@var{h_errnop}} needs to be set to a
  470. non-zero value. A generic error code is @code{NETDB_INTERNAL}, which
  471. instructs the caller to examine @code{*@var{errnop}} for further
  472. details. (This includes the @code{ERANGE} special case.)
  473. @end itemize
  474. @noindent
  475. This table is correct for all functions but the @code{set@dots{}ent}
  476. and @code{end@dots{}ent} functions.
  477. @node Extending NSS, , NSS Module Internals, Name Service Switch
  478. @section Extending NSS
  479. One of the advantages of NSS mentioned above is that it can be extended
  480. quite easily. There are two ways in which the extension can happen:
  481. adding another database or adding another service. The former is
  482. normally done only by the C library developers. It is
  483. here only important to remember that adding another database is
  484. independent from adding another service because a service need not
  485. support all databases or lookup functions.
  486. A designer/implementer of a new service is therefore free to choose the
  487. databases s/he is interested in and leave the rest for later (or
  488. completely aside).
  489. @menu
  490. * Adding another Service to NSS:: What is to do to add a new service.
  491. * NSS Module Function Internals:: Guidelines for writing new NSS
  492. service functions.
  493. @end menu
  494. @node Adding another Service to NSS, NSS Module Function Internals, Extending NSS, Extending NSS
  495. @subsection Adding another Service to NSS
  496. The sources for a new service need not (and should not) be part of @theglibc{}
  497. itself. The developer retains complete control over the
  498. sources and its development. The links between the C library and the
  499. new service module consists solely of the interface functions.
  500. Each module is designed following a specific interface specification.
  501. For now the version is 2 (the interface in version 1 was not adequate)
  502. and this manifests in the version number of the shared library object of
  503. the NSS modules: they have the extension @code{.2}. If the interface
  504. changes again in an incompatible way, this number will be increased.
  505. Modules using the old interface will still be usable.
  506. Developers of a new service will have to make sure that their module is
  507. created using the correct interface number. This means the file itself
  508. must have the correct name and on ELF systems the @dfn{soname} (Shared
  509. Object Name) must also have this number. Building a module from a bunch
  510. of object files on an ELF system using GNU CC could be done like this:
  511. @smallexample
  512. gcc -shared -o libnss_NAME.so.2 -Wl,-soname,libnss_NAME.so.2 OBJECTS
  513. @end smallexample
  514. @noindent
  515. @ref{Link Options, Options for Linking, , gcc, GNU CC}, to learn
  516. more about this command line.
  517. To use the new module the library must be able to find it. This can be
  518. achieved by using options for the dynamic linker so that it will search
  519. the directory where the binary is placed. For an ELF system this could be
  520. done by adding the wanted directory to the value of
  521. @code{LD_LIBRARY_PATH}.
  522. But this is not always possible since some programs (those which run
  523. under IDs which do not belong to the user) ignore this variable.
  524. Therefore the stable version of the module should be placed into a
  525. directory which is searched by the dynamic linker. Normally this should
  526. be the directory @file{$prefix/lib}, where @file{$prefix} corresponds to
  527. the value given to configure using the @code{--prefix} option. But be
  528. careful: this should only be done if it is clear the module does not
  529. cause any harm. System administrators should be careful.
  530. @node NSS Module Function Internals, , Adding another Service to NSS, Extending NSS
  531. @subsection Internals of the NSS Module Functions
  532. Until now we only provided the syntactic interface for the functions in
  533. the NSS module. In fact there is not much more we can say since the
  534. implementation obviously is different for each function. But a few
  535. general rules must be followed by all functions.
  536. In fact there are four kinds of different functions which may appear in
  537. the interface. All derive from the traditional ones for system databases.
  538. @var{db} in the following table is normally an abbreviation for the
  539. database (e.g., it is @code{pw} for the user database).
  540. @table @code
  541. @item enum nss_status _nss_@var{database}_set@var{db}ent (void)
  542. This function prepares the service for following operations. For a
  543. simple file based lookup this means files could be opened, for other
  544. services this function simply is a noop.
  545. One special case for this function is that it takes an additional
  546. argument for some @var{database}s (i.e., the interface is
  547. @code{int set@var{db}ent (int)}). @ref{Host Names}, which describes the
  548. @code{sethostent} function.
  549. The return value should be @var{NSS_STATUS_SUCCESS} or according to the
  550. table above in case of an error (@pxref{NSS Modules Interface}).
  551. @item enum nss_status _nss_@var{database}_end@var{db}ent (void)
  552. This function simply closes all files which are still open or removes
  553. buffer caches. If there are no files or buffers to remove this is again
  554. a simple noop.
  555. There normally is no return value other than @var{NSS_STATUS_SUCCESS}.
  556. @item enum nss_status _nss_@var{database}_get@var{db}ent_r (@var{STRUCTURE} *result, char *buffer, size_t buflen, int *errnop)
  557. Since this function will be called several times in a row to retrieve
  558. one entry after the other it must keep some kind of state. But this
  559. also means the functions are not really reentrant. They are reentrant
  560. only in that simultaneous calls to this function will not try to
  561. write the retrieved data in the same place (as it would be the case for
  562. the non-reentrant functions); instead, it writes to the structure
  563. pointed to by the @var{result} parameter. But the calls share a common
  564. state and in the case of a file access this means they return neighboring
  565. entries in the file.
  566. The buffer of length @var{buflen} pointed to by @var{buffer} can be used
  567. for storing some additional data for the result. It is @emph{not}
  568. guaranteed that the same buffer will be passed for the next call of this
  569. function. Therefore one must not misuse this buffer to save some state
  570. information from one call to another.
  571. Before the function returns with a failure code, the implementation
  572. should store the value of the local @code{errno} variable in the variable
  573. pointed to be @var{errnop}. This is important to guarantee the module
  574. working in statically linked programs. The stored value must not be
  575. zero.
  576. As explained above this function could also have an additional last
  577. argument. This depends on the database used; it happens only for
  578. @code{host} and @code{networks}.
  579. The function shall return @code{NSS_STATUS_SUCCESS} as long as there are
  580. more entries. When the last entry was read it should return
  581. @code{NSS_STATUS_NOTFOUND}. When the buffer given as an argument is too
  582. small for the data to be returned @code{NSS_STATUS_TRYAGAIN} should be
  583. returned. When the service was not formerly initialized by a call to
  584. @code{_nss_@var{DATABASE}_set@var{db}ent} all return values allowed for
  585. this function can also be returned here.
  586. @item enum nss_status _nss_@var{DATABASE}_get@var{db}by@var{XX}_r (@var{PARAMS}, @var{STRUCTURE} *result, char *buffer, size_t buflen, int *errnop)
  587. This function shall return the entry from the database which is
  588. addressed by the @var{PARAMS}. The type and number of these arguments
  589. vary. It must be individually determined by looking to the user-level
  590. interface functions. All arguments given to the non-reentrant version
  591. are here described by @var{PARAMS}.
  592. The result must be stored in the structure pointed to by @var{result}.
  593. If there are additional data to return (say strings, where the
  594. @var{result} structure only contains pointers) the function must use the
  595. @var{buffer} of length @var{buflen}. There must not be any references
  596. to non-constant global data.
  597. The implementation of this function should honor the @var{stayopen}
  598. flag set by the @code{set@var{DB}ent} function whenever this makes sense.
  599. Before the function returns, the implementation should store the value of
  600. the local @code{errno} variable in the variable pointed to by
  601. @var{errnop}. This is important to guarantee the module works in
  602. statically linked programs.
  603. Again, this function takes an additional last argument for the
  604. @code{host} and @code{networks} database.
  605. The return value should as always follow the rules given above
  606. (@pxref{NSS Modules Interface}).
  607. @end table