Is it possible to override / bypass nscd?

Question

I am making an NSS module answers depending on the name of the caller. For example, if sshd calls getpwnam_r(...), the pw_shell will be /bin/bash; if telnetd calls getpwnam_r(...), the pw_shell will be /bin/ksh.

A prototype is made and it works. However, when nscd is running and the cache is hot, the module's function will not be called. nscd's cached result is returned to every caller. nscd assumes the only variable to the result is time; it never think of process name will affect the result.

Suppose we can make some daemon or module to override nscd, the code should check the process name is on my list or not. If it is on the list, skip nscd; otherwise, let nscd answer getpwnam_r(...).

Is it possible?

---

Edit: Less preferable, but OK alternative is to bypass nscd when call getpwnam_r(...).

Answer 1

Yes. It is possible to bypass nscd on a per-process basis, although it's a bit of a hack.

If you check out the glibc source code you'll observe there's a function called __nss_disable_nscd. This is used by nscd (or unscd) to ensure that it doesn't go recursive.

Probably easier to read the example in unscd. See http://busybox.net/~vda/unscd/nscd-0.51.c

Answer 2

The calls to nscd are hardwired into the standard library such that any call to a map-related function (getpwnam(), gethostbyname() etc...) will query nscd first. The only solution is to turn nscd off or to write your own.

You can confirm this by using getent and strace:

strace -ttt getent passwd

Others have written nscd replacements - gnscd by Google, unscd for BusyBox. So if you cannot disable nscd then you must rewrite it....