From owner-freebsd-bugs Mon Jun 5 21:00:08 1995 Return-Path: bugs-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id VAA24778 for bugs-outgoing; Mon, 5 Jun 1995 21:00:08 -0700 Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id VAA24769 for ; Mon, 5 Jun 1995 21:00:04 -0700 Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.8/8.6.6) id WAA02120; Mon, 5 Jun 1995 22:56:28 -0400 From: "House of Debuggin'" Message-Id: <199506060256.WAA02120@skynet.ctr.columbia.edu> Subject: Re: bug in NIS/passwd To: wilcox@math.psu.edu (Ken Wilcox) Date: Mon, 5 Jun 1995 22:56:24 -0400 (EDT) Cc: bugs@FreeBSD.org In-Reply-To: <199506051547.LAA07081@napier.math.psu.edu> from "Ken Wilcox" at Jun 5, 95 11:47:10 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 4036 Sender: bugs-owner@FreeBSD.org Precedence: bulk They say this Ken Wilcox person was kidding when he wrote: > > I don't know which one it is in, but I will explain the problem. > We have a group of suns that are all configured alike and running NIS, etc. > I got freebsd and loaded it up with yp and amd to run just as our suns do and > it works nice except for one problem. This is how we do restrictions on logins. > > /etc/passwd > +@staff::0:0::: > +::65534:65534:::/usr/new/misc/message I use similar access restrictions, though I tend to specify everything interms of netgroups. > When I try to do this on my bsd machine, everyones shell is > /usr/new/misc/message and it looks like it just totally disregarded the staff > line. Well, you didn't say exactly what version of FreeBSD you're running. If it's 2.0-RELEASE, then I'm not even going to speculate what the problem is: there are too many to count. For one thing, netgroup overrides didn't even work. 2.0.5A is a lot better. The netgroup overrides do work, and even group overrides are possible (if netgroup 'foo' doesn't exist, then the library will try to match +@foo against regular group 'foo' instead). Anyway, here's how the stuff should work: > +@staff::0:0::: I think the /etc/master.passwd equivalent of this is +@staff:::::::::. This allows users in netgroup 'staff' into the system with no overrides. I'm guessing that this is what you want. If you replace the UID and GID fields in /etc/master.passwd with '0', then the 'staff' netgroup will have their UIDs and GIDs remappped to 0, thus turning them into superusers. This is handy, but not necessarily desirable. > +::65534:65534:::/usr/new/misc/message This line should affect everyone who isn't in the 'staff' netgroup (the rule is that the first match wins -- those who don't match 'staff' fall through to the next entry). It should be expressed in /etc/master.passwd as +::65534:65534::::::/usr/new/misc/messages. What it should do is remap everyone's UID and GID to 65534 and their shell to /usr/new/misc/message. The end result is that users in the 'staff' netgroup should be able to log in, while everybody else should get the /usr/new/misc/messages treatment. This is exactly the behavior that 2.0.5 should exhibit. > It makes no difference where you put the line either. Has anyone > experienced this problem? > > -Ken Wilcox > Well, again, you didn't say what version of FreeBSD you're running. In FreeBSD 2.0-RELEASE, the +@staff:::::::: line would be ignored since netgroup overrides weren't supported in that release. Basically, the second line would be applied to everyone. I think this is the problem you're describing. With 2.0.5, this should work correctly: assuming you have an /etc/netgroup file with a '+' in it, the +@netgroup/-@netgroup overrides will be properly evaluated and 'staff' will be granted access while everyone else will get booted out. Be warned that 2.0.5A has a subtle bug in it that will wreck shell substitutions ("And the Lord Elvis spake unto me: 'Yea, thou shalt return only pointers to static buffers lest thine dynamic storage be free()ed out from under thine ass, and thy stack be corrupted.'"). A patch has already been submitted and applied to fix this, so everything should work in 2.0.5-BETA and 2.0.5-RELEASE. If you are running 2.0-RELEASE, my suggestion is to upgrade. If you don't want to upgrade, your only alternative is to patch libc: you need new copies of getpwent.c, getgrent.c and getnetgrent.c. Replacing rcmd.c might be a good idea too. -Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~T~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Bill Paul (212) 854-6020 | System Manager Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Møøse Illuminati: ignore it and be confused, or join it and be confusing! ~~~~~~~~~ FreeBSD 2.1: "We can kick your operating system's ass!" ~~~~~~~~~~