Date: Sun, 3 Mar 2002 01:16:29 -0800 (PST) From: Martin Butkus <m.butkus@tu-bs.de> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/35506: innetgr() doesn't match wildcard fields in NIS-only mode Message-ID: <200203030916.g239GT211722@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 35506 >Category: misc >Synopsis: innetgr() doesn't match wildcard fields in NIS-only mode >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 03 01:20:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Martin Butkus >Release: FreeBSD 4.5-STABLE i386 >Organization: Technical University Braunschweig, Germany >Environment: FreeBSD mufasa.thgwf.de 4.5-STABLE FreeBSD 4.5-STABLE #2: Wed Feb 20 23:23:10 CET 2002 root.mb@mufasa.thgwf.de:/usr/obj/usr/src/sys/MUFASA i386 >Description: innetgr() has code to speed up lookup of netgroup entries when netgroups are served exclusively via NIS (i.e. no local netgroups defined in /etc/netgroup). This code does not honor wildcard entries. For example, according to netgroup(5), a netgroup like this should match any (host, user, domain) combination: FOO (,,) However, innetgr() yields a zero exit status when no local netgroups are defined. In the presence of at least one local netgroup, it yields an exit status of one (the correct behaviour). This bug affects both login(1) and ssh(1) since both use innetgr() for access control. It is therefore very annoying when you try to use NIS-based netgroups for centralized access control as described in the FreeBSD Handbook (i.e. entries of the form "+@NETGROUP" in master.passwd). >How-To-Repeat: This is the NIS netgroup file that I use: root@mufasa /var/yp # cat netgroup FOO (,,) This C programm will yield "0 0 0" when there is no local /etc/netgroup file present: --- snip -- #include <stdio.h> #include <netdb.h> main () { int i; i = innetgr("FOO","foo",NULL,"bar"); printf("%d ",i); i = innetgr("FOO",NULL,"foo","bar"); printf("%d ",i); i = innetgr("FOO",NULL,NULL,"bar"); printf("%d\n",i); } --- snap -- However, when a local netgroup file like this is present: root@mufasa /etc # cat netgroup BAR (,,) + then the result is "1 1 1" (as expected). The local netgroup file needs to have at least one entry besides "+". >Fix: Unfortunately I do not understand the NIS-only code in innetgr() quite well. From my understanding, it doesn't seem to take wildcard entries into account at all. A possible but ugly workaround would be to always create a local netgroups file that contains at least one local netgroup besides the "+" entry, thus bypassing said code. Another possibility would be to rip out the NIS speedup code completely. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203030916.g239GT211722>