Date: Sun, 3 Mar 2002 01:16:29 -0800 (PST) From: Martin Butkus <m.butkus@tu-bs.de> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/35506: innetgr() doesn't match wildcard fields in NIS-only mode Message-ID: <200203030916.g239GT211722@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 35506
>Category: misc
>Synopsis: innetgr() doesn't match wildcard fields in NIS-only mode
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 03 01:20:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Martin Butkus
>Release: FreeBSD 4.5-STABLE i386
>Organization:
Technical University Braunschweig, Germany
>Environment:
FreeBSD mufasa.thgwf.de 4.5-STABLE FreeBSD 4.5-STABLE #2: Wed Feb 20 23:23:10 CET 2002 root.mb@mufasa.thgwf.de:/usr/obj/usr/src/sys/MUFASA i386
>Description:
innetgr() has code to speed up lookup of netgroup entries when
netgroups are served exclusively via NIS (i.e. no local netgroups
defined in /etc/netgroup).
This code does not honor wildcard entries. For example,
according to netgroup(5), a netgroup like this should
match any (host, user, domain) combination:
FOO (,,)
However, innetgr() yields a zero exit status when no local
netgroups are defined. In the presence of at least one local
netgroup, it yields an exit status of one (the correct behaviour).
This bug affects both login(1) and ssh(1) since both use
innetgr() for access control. It is therefore very annoying when
you try to use NIS-based netgroups for centralized access control
as described in the FreeBSD Handbook (i.e. entries of the form
"+@NETGROUP" in master.passwd).
>How-To-Repeat:
This is the NIS netgroup file that I use:
root@mufasa /var/yp # cat netgroup
FOO (,,)
This C programm will yield "0 0 0" when there is no
local /etc/netgroup file present:
--- snip --
#include <stdio.h>
#include <netdb.h>
main () {
int i;
i = innetgr("FOO","foo",NULL,"bar");
printf("%d ",i);
i = innetgr("FOO",NULL,"foo","bar");
printf("%d ",i);
i = innetgr("FOO",NULL,NULL,"bar");
printf("%d\n",i);
}
--- snap --
However, when a local netgroup file like this is present:
root@mufasa /etc # cat netgroup
BAR (,,)
+
then the result is "1 1 1" (as expected). The local netgroup
file needs to have at least one entry besides "+".
>Fix:
Unfortunately I do not understand the NIS-only code in innetgr()
quite well. From my understanding, it doesn't seem to take
wildcard entries into account at all.
A possible but ugly workaround would be to always create a local
netgroups file that contains at least one local netgroup besides
the "+" entry, thus bypassing said code.
Another possibility would be to rip out the NIS speedup code
completely.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203030916.g239GT211722>