Date: Tue, 21 Mar 1995 14:57:40 -0500 (EST) From: Wankle Rotary Engine <wpaul@skynet.ctr.columbia.edu> To: freebsd-hackers@FreeBSD.org Subject: How should I do this? Message-ID: <199503211957.OAA03653@skynet.ctr.columbia.edu>
next in thread | raw e-mail | index | archive | help
I've finally started to add support for special +@netgroup/-@netgroup substitution in the password database and I've found myself in a quandry. For those who may not know, systems with NIS capability (well, the ones I'm familiar with at least -- SunOS, Solaris, IRIX, HPUX, and even Sony NEWS-OS) allow you to have special entries in your passwd file that look like this: +@rejected-users::32767:32767:Rejected!:/tmp:/usr/local/etc/go-away +@allowed-users:::::: -@silently-rejected-users:*:32767:32767:Rejected!:/tmp:/bin/false People in the 'allowed-users' netgroup will be permitted to log in normally. People in the 'rejected-users' netgroup will be let in, but their UID and GID will be remapped to 32767 and their shell will be remapped to /usr/local/etc/go-away, which is a nastygram program or script that tells them they aren't allowed on this system. Once the program/shell terminates, they get tossed out on their ears. The 'silently-rejected-users' will be denied access outright. (The dummy fields shouldn't be needed for minus entries, but it doesn't hurt to be paranoid.) This permits administrators (like me :) to set up access control for groups of NIS client machines. My plan is to have the getpwent functions cache these special entries so that they can be prepared to match usernames against them quickly. The problem is generating the caches. I've thought of two ways to do it: 1) Do everything in getpwent.c: use the _PW_KEYBYNUM access method to scan through each line in the password database and weed out the special entries. Cons: - The advantage of having a hashed password database goes flying out the window. Pros: - Don't have to change anything except libc. - Since this feature would only be used when YP was turned on, and since when YP is turned on the local password database tends to be fairly small, the speed hit involved should be minimal. 2) Change pwd_mkdb to store special key/data pairs in the password databases if it finds special +@netgroup/-@netgroup entries in the raw master.passwd file. The getpwent routines can then extract the special entries directly. Some extra tags, _PW_PLUSBYNUM and _PW_MINUSBYNUM, would be needed. A _PW_HAVEPLUS and _PW_HAVEMINUS would be nice too, though I think I can get by without them. Cons: - Need to change more things: libc (getpwent.c), pwd.h and pwd_mkdb. Pros: - Overall, it should be much faster than a sequential search (and, as with the other method, the search is only done at all if YP is enabled). - Somehow it seems more elegant than the other solution. :) On the one hand, I'd kind of like to restrict the changes to libc, since that's where this stuff is supposed to go. On the other hand, it would be a little silly not to use the database system. I'm leaning towards solution #2 at the moment, but I want to find out if other people think this is a good idea. Basically, I can't decide, so I'm hoping for some strongly-voiced opinioms to sway me. :) -Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~T~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Bill Paul (212) 854-6020 | System Manager Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Møøse Illuminati: ignore it and be confused, or join it and be confusing! ~~~~~~~~ FreeBSD 2.1.0-Development #0: Tue Mar 14 11:11:25 EST 1995 ~~~~~~~~~
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503211957.OAA03653>