From owner-freebsd-security Thu Apr 23 16:31:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18603 for freebsd-security-outgoing; Thu, 23 Apr 1998 16:31:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from enterprise.cs.unm.edu (enterprise-atm.cs.unm.edu [198.83.90.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA18552 for ; Thu, 23 Apr 1998 16:30:55 -0700 (PDT) (envelope-from cfaehl@cs.unm.edu) Received: from avarice.cs.unm.edu [198.83.92.131] by enterprise.cs.unm.edu with esmtp (Exim 1.80 #2) id 0ySVS3-00055V-00; Thu, 23 Apr 1998 17:30:47 -0600 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Possible bug in NIS passwd handling? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 23 Apr 1998 17:30:39 -0600 From: Chris Faehl Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk We seem to have stumbled over what I'd call a bug in NIS passwd handling (or documentation error). This is 2.2.6. (apologies if this should be in -stable - I'm not tracking it). According to passwd(5): Using groups instead of netgroups for NIS overrides FreeBSD offers the capability to do override matching based on user groups rather than netgroups. If, for example, an NIS entry is specified as: +@operator::::::::: the system will first try to match users against a netgroup called `oper- ator.' If an `operator' netgroup doesn't exist, the system will try to match users against the normal `operator' group instead. The implied behavior is that if (using the above example) a netgroup 'operator' DOES exist, and a user is not in that netgroup, permission is denied. The behavior we're seeing seems to be that if a netgroup does exist, and the user doesn't match that netgroup, the user is compared against group membership. In my thinking, the documented way is 'correct', the observed behavior is 'incorrect'. ------------------------------------------------------------------------------- Chris Faehl | Email: cfaehl@cs.unm.edu The University of New Mexico | URL: http://www.cs.unm.edu/~cfaehl Computer Science Dept., Rm. FEC 313 | Phone: 505/277-3016 Albuquerque, NM 87131 USA | FAX: 505/277-6927 ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message