From owner-freebsd-security  Thu Apr 23 16:31:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA18603
          for freebsd-security-outgoing; Thu, 23 Apr 1998 16:31:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from enterprise.cs.unm.edu (enterprise-atm.cs.unm.edu [198.83.90.20])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA18552
          for <freebsd-security@freebsd.org>; Thu, 23 Apr 1998 16:30:55 -0700 (PDT)
          (envelope-from cfaehl@cs.unm.edu)
Received: from avarice.cs.unm.edu [198.83.92.131] 
	by enterprise.cs.unm.edu with esmtp (Exim 1.80 #2)
	id 0ySVS3-00055V-00; Thu, 23 Apr 1998 17:30:47 -0600
X-Mailer: exmh version 2.0.2 2/24/98
To: freebsd-security@FreeBSD.ORG
Subject: Possible bug in NIS passwd handling?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 23 Apr 1998 17:30:39 -0600
From: Chris Faehl <cfaehl@cs.unm.edu>
Message-Id: <E0ySVS3-00055V-00@enterprise.cs.unm.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

We seem to have stumbled over what I'd call a bug in NIS passwd handling
(or documentation error). This is 2.2.6. (apologies if this should be
in -stable - I'm not tracking it).

According to passwd(5):
   Using groups instead of netgroups for NIS overrides
     FreeBSD offers the capability to do override matching based on user
     groups rather than netgroups. If, for example, an NIS entry is specified
     as:

           +@operator:::::::::

     the system will first try to match users against a netgroup called `oper-
     ator.' If an `operator' netgroup doesn't exist, the system will try to
     match users against the normal `operator' group instead.

The implied behavior is that if (using the above example) a netgroup
'operator' DOES exist, and a user is not in that netgroup, permission
is denied. The behavior we're seeing seems to be that if a netgroup does
exist, and the user doesn't match that netgroup, the user
is compared against group membership.

In my thinking, the documented way is 'correct', the observed behavior
is 'incorrect'. 

-------------------------------------------------------------------------------
Chris Faehl			      | Email: cfaehl@cs.unm.edu
The University of New Mexico          | URL:   http://www.cs.unm.edu/~cfaehl
Computer Science Dept., Rm. FEC 313   | Phone: 505/277-3016
Albuquerque, NM  87131  USA           | FAX:   505/277-6927
-------------------------------------------------------------------------------




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message