[Fedora-packaging] Possible UsersAndGroupsDraft

Simo Sorce ssorce at redhat.com
Thu Jun 14 17:17:21 UTC 2007

On Thu, 2007-06-14 at 10:44 -0400, Jarod Wilson wrote:
> Tom "spot" Callaway wrote:
> > On Thu, 2007-06-14 at 10:14 -0400, Simo Sorce wrote:
> >> On Thu, 2007-06-14 at 08:44 -0500, Tom "spot" Callaway wrote:
> >>
> >>> A possible improvement I could see would be to change the tool to ask
> >>> pam if the user exists, as opposed to simply looking
> >> I guess you mean NSS
> >>
> >>> in /etc/passwd, /etc/group, as that would better cover network user
> >>> conflicts.
> >> If you don't already do it, you should _really_ do it and quickly.
> >> Checking /etc/passwd directly today is not acceptable IMO, NSS has been
> >> introduced exactly to decouple user querying from knowledge of the
> >> underlying db and mechanisms used.
> > 
> > So... since I know pam but not NSS, is there a way to ask that question
> > (does a user/group exist) on the commandline with existing NSS tools?
> Do these achieve the desired results?


> # getent passwd | cut -d: -f1 | grep -c <user>
> # getent group | cut -d: -f1 | grep -c <group>

It is advised to query the specific name required, the posix
specification allow for backends not to reply all or any of the accounts
in the db. But you have to replay if a specific user/group is requested.

On very large environments (nis, ldap, winbindd) listing all the
accounts and then grepping out the one you need is a complete waste of
resources anyway and also a possibly very, very long operation.

so the right method might be:

getent passwd <user> >/dev/null
getent group <group> >/dev/null

if the user/group exist then 0 is returned if not then non zero (2 iirc)
is returned


More information about the Fedora-packaging mailing list