What is it ?

nsss is an implementation of a subset of the pwd.h, group.h and shadow.h family of functions, performing user database access on Unix systems.

Usually, user database access via getpwnam() and similar function is provided by the system's libc. However, not all libcs implement a configurable backend for the user/group database. For instance the musl libc, on Linux, only supports the standard /etc/passwd mechanism; it also supports the nscd protocol but this is not quite enough:

The mechanism used by glibc, called Name Service Switch (abbreviated to nsswitch or NSS), has its own set of issues that makes it unsuitable in certain situations.

nsss is a secure implementation of a "name service switch": configurable user/group/shadow database access, providing getpwnam() et al. functionality by communicating over a Unix domain socket with a daemon; the daemon can perform lookups in any database it chooses.

nsss does not perform dynamic module loading, only adds a small footprint to the application's binary, and does not add any complex decision engine into the client's address space. Applications can be statically linked against the nsss library, and still benefit from configurable user database access functions.




nsss is free software. It is available under the ISC license.



Upgrade notes



The following commands are not meant to be directly invoked on the command-line. They are meant to be used behind a Unix domain socket super-server such as s6-ipcserver in order to provide a local service. Depending on the chosen command, the service will provide a different backend to the name service.

Future versions of nsss will come with more backends.


Related resources

nsss discussion