The implementation of the unixd cache relies on inotify to detect changes to files in /etc so that we know when to reload the data for nss/passwd. However, the way that groupadd/del and other tools work is they copy the file, change it, and then move it into place. It turns out that william of the past didn't realise that inotify works on inodes not paths like other tools do (auditctl for example).
As a result, when something modified /etc/group or another related file, the removal was seen, but this breaks notifications on any future change until you reload unixd.
To resolve this we need to recursively watch /etc with inotify - yep, that's correct. We have to watch everything in /etc for changes because it's the only way to pick up on the add/remove of files. But because we have to watch everything, we need permissions to watch everything.
This forces us to move the parsing of the etc passwd/group/shadow files to the unixd tasks daemon - arguably, this is the correct place to read these anyway since that is a high priv (and locked down) daemon. Because of this, we actually end up solving the missing "shadow" group on debian issue, and probably similar on the BSD's in future.
In order to make my life easier while testing I also threw in a makefile that symlinks the files to needed locations for testing. It has plenty of warnings as it should.
Fixes#3499Fixes#3407Fixes#3249
* Resolve kanidm-unix auth-test bug
When reworking the unix daemon, we missed changing the auth-test
tool to handle the new challenge-response flow correctly which
would cause the session to disconnect.
* Cleanup
* kanidm-unixd default config via PPA problem with version 2 on debian bookworm
Fixes#3312
* fix(coverage): moving to using cargo-tarpaulin
* kanidm-unixd default config via PPA problem with version 2 on debian bookworm
Fixes#3312
Allow caching and checking of shadow entries (passwords)
Cache and serve system id's
improve some security warnings
prepare for multi-resolver
Allow the kanidm provider to be not configured
Allow group extension
This starts the support for multi-resolver operation as well as a system level nss resolver.
In future we'll add the remaining support to auth system users with pam too.
