busybox-1.8.2: eliminating libnss*

Denys Vlasenko vda.linux at googlemail.com
Sun Dec 16 09:37:59 PST 2007 

On Friday 14 December 2007 14:37, Joseph Sacco wrote:
> I would like to eliminate /lib/libnss* and still be able to:
>
> * log in through a serial port [which runs a getty]
> * log in via telnet
> * connect to an HTTP server spawned from inetd
>
> I configured the busybox-1.8.2 Login/Password Utilities as shown below:
>
>         #
>         # Login/Password Management Utilities
>         #
>         CONFIG_FEATURE_SHADOWPASSWDS=y
>         CONFIG_USE_BB_SHADOW=y
>         CONFIG_USE_BB_PWD_GRP=y
>         # CONFIG_ADDGROUP is not set
>         # CONFIG_FEATURE_ADDUSER_TO_GROUP is not set
>         # CONFIG_DELGROUP is not set
>         # CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set
>         # CONFIG_ADDUSER is not set
>         # CONFIG_DELUSER is not set
>         CONFIG_GETTY=y
>         # CONFIG_FEATURE_UTMP is not set
>         # CONFIG_FEATURE_WTMP is not set
>         CONFIG_LOGIN=y
>         # CONFIG_PAM is not set
>         CONFIG_LOGIN_SCRIPTS=y
>         CONFIG_FEATURE_NOLOGIN=y
>         CONFIG_FEATURE_SECURETTY=y
>         CONFIG_PASSWD=y
>         # CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set
>         # CONFIG_CRYPTPW is not set
>         # CONFIG_CHPASSWD is not set
>         # CONFIG_SU is not set
>         # CONFIG_FEATURE_SU_SYSLOG is not set
>         # CONFIG_FEATURE_SU_CHECKS_SHELLS is not set
>         # CONFIG_SULOGIN is not set
>         # CONFIG_VLOCK is not set
>
> When I remove /lib/libnss* from the TARGET system I find that I can log
> in through a serial port but can no longer log in via telnet or connect
> to the HTTP server.  If I restore these libraries on the TARGET system I
> can access the system via telnet and can connect to the HTTP server.
>
> So... It looks like some sort of permissions issue. What am I missing?

glibc is very poorly suited for such things. You won't get much support
from glibc people with trying to live without dynamic loading of nss
libraries (I think).

I think using uclibc is the easiest path for you, as you appear to build
some sort of standalone system which does not need fancy user/group/host 
resolution thru ldap/samba/whatever.

It's also way smaller than glibc.
--
vda

More information about the busybox mailing list