From owner-freebsd-bugs Sun Mar 3 1:20:12 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2C5C637B419 for ; Sun, 3 Mar 2002 01:20:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g239K1012140; Sun, 3 Mar 2002 01:20:01 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0BA6B37B400 for ; Sun, 3 Mar 2002 01:16:30 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g239GT211722; Sun, 3 Mar 2002 01:16:29 -0800 (PST) (envelope-from nobody) Message-Id: <200203030916.g239GT211722@freefall.freebsd.org> Date: Sun, 3 Mar 2002 01:16:29 -0800 (PST) From: Martin Butkus To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/35506: innetgr() doesn't match wildcard fields in NIS-only mode Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 35506 >Category: misc >Synopsis: innetgr() doesn't match wildcard fields in NIS-only mode >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 03 01:20:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Martin Butkus >Release: FreeBSD 4.5-STABLE i386 >Organization: Technical University Braunschweig, Germany >Environment: FreeBSD mufasa.thgwf.de 4.5-STABLE FreeBSD 4.5-STABLE #2: Wed Feb 20 23:23:10 CET 2002 root.mb@mufasa.thgwf.de:/usr/obj/usr/src/sys/MUFASA i386 >Description: innetgr() has code to speed up lookup of netgroup entries when netgroups are served exclusively via NIS (i.e. no local netgroups defined in /etc/netgroup). This code does not honor wildcard entries. For example, according to netgroup(5), a netgroup like this should match any (host, user, domain) combination: FOO (,,) However, innetgr() yields a zero exit status when no local netgroups are defined. In the presence of at least one local netgroup, it yields an exit status of one (the correct behaviour). This bug affects both login(1) and ssh(1) since both use innetgr() for access control. It is therefore very annoying when you try to use NIS-based netgroups for centralized access control as described in the FreeBSD Handbook (i.e. entries of the form "+@NETGROUP" in master.passwd). >How-To-Repeat: This is the NIS netgroup file that I use: root@mufasa /var/yp # cat netgroup FOO (,,) This C programm will yield "0 0 0" when there is no local /etc/netgroup file present: --- snip -­- #include #include main () { int i; i = innetgr("FOO","foo",NULL,"bar"); printf("%d ",i); i = innetgr("FOO",NULL,"foo","bar"); printf("%d ",i); i = innetgr("FOO",NULL,NULL,"bar"); printf("%d\n",i); } --- snap -­- However, when a local netgroup file like this is present: root@mufasa /etc # cat netgroup BAR (,,) + then the result is "1 1 1" (as expected). The local netgroup file needs to have at least one entry besides "+". >Fix: Unfortunately I do not understand the NIS-only code in innetgr() quite well. From my understanding, it doesn't seem to take wildcard entries into account at all. A possible but ugly workaround would be to always create a local netgroups file that contains at least one local netgroup besides the "+" entry, thus bypassing said code. Another possibility would be to rip out the NIS speedup code completely. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message