Date: Thu, 23 Mar 1995 15:06:58 -0800 From: "Justin T. Gibbs" <gibbs@estienne.CS.Berkeley.EDU> To: Bill Paul <wpaul@freefall.cdrom.com> Cc: CVS-commiters@freefall.cdrom.com, cvs-usrsbin@freefall.cdrom.com Subject: Re: cvs commit: src/usr.sbin/pwd_mkdb pwd_mkdb.c Message-ID: <199503232306.PAA05554@estienne.cs.berkeley.edu> In-Reply-To: Your message of "Thu, 23 Mar 1995 14:58:12 PST." <199503232258.OAA24890@freefall.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> >> >wpaul 95/03/23 14:31:14 >> > >> > Modified: usr.sbin/pwd_mkdb pwd_mkdb.c >> > Log: >> > Re-enable +::::::::: wildcards that I had previously disallowed. >> > >> > Note: if you put +::0:0:::::: in /etc/master.passwd as your only NIS >> > entry, it will cause all NIS uids and gids to be remapped to zero. This >> > is *intentional*. That's the way it's supposed to work. Enabling NIS with >> > no remapping at all is done with +:::::::::, not +::0:0::::::. Similarly, >> > +:::::::::/bin/csh will remap the shells of all NIS users to /bin/csh. >> > Or, you could do +wpaul:::::::::/bin/csh to remap NIS user wpaul's shell >> > to /bin/csh but leave everyone else alone. >> >> Is there anyway I can do remapping on a group of accounts that are in >> /etc/group, but not in a netgroup? >> -- >> Justin T. Gibbs >> ============================================== >> TCS Instructional Group - Programmer/Analyst 1 >> Cory | Po | Danube | Volga | Parker | Torus >> ============================================== >> > >There isn't any support for that, no. I'm trying to emulate the mechanism >in SunOS (and in other implementations based on code license from Sun, like >IRIX and HP-UX) which, so far as I know, only supports +@netgroup/-@netgroup >remapping. The fact that we also have +user/-user remapping actually puts >us a step ahead of them in this department. I desperately wanted the >+@netgroup/-@netgroup support since everybody else seems to have it and >I need it to properly integrate FreeBSD machines into my existing network: >I use the remapping mechanism for access control purposes. This is also the way the @netgroup/-@netgroup NIS feature is used at TCS, but it seems the netgroup file has some braindead limits (both characters per netgroup, 128, and number of netgroups) under HP-UX and ULTRIX so we have some nasty perl script that splits up the mass of users we want to deny, 2000 in all, into a series of netgroups that works. This all seems such a waste since our group file is already handled by NIS and the same effort would have taken five +something entries in the passwd file. In the past, we've used the netgroup file for lists of machines, not users... >The main problem I see in implementing group remapping would be that I'd need >yet another magic symbol (+ for just username remapping, +@ for netgroup >remapping and something else to represent plain group remapping), and >I'd have to modify pwd_mkdb, pwd.h and the cacheing function in getpwent.c >some more. This isn't that tough to do, but it would be very non-standard. >(The +user/-user stuff is also non-standard, but I kept it for backwards >compatibility.) Would it be too gross to simply check the group map if we don't get a hit for a +@ entry in the netgroup file? > >If enough people say they want this, I'll do it. Anybody have any suggestions >as to what magic symbol I should use? > >-Bill -- Justin T. Gibbs ============================================== TCS Instructional Group - Programmer/Analyst 1 Cory | Po | Danube | Volga | Parker | Torus ==============================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503232306.PAA05554>