Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Mar 1995 14:57:40 -0500 (EST)
From:      Wankle Rotary Engine <wpaul@skynet.ctr.columbia.edu>
To:        freebsd-hackers@FreeBSD.org
Subject:   How should I do this?
Message-ID:  <199503211957.OAA03653@skynet.ctr.columbia.edu>

next in thread | raw e-mail | index | archive | help
I've finally started to add support for special +@netgroup/-@netgroup
substitution in the password database and I've found myself in a quandry.
For those who may not know, systems with NIS capability (well, the ones
I'm familiar with at least -- SunOS, Solaris, IRIX, HPUX, and even
Sony NEWS-OS) allow you to have special entries in your passwd file that 
look like this:

+@rejected-users::32767:32767:Rejected!:/tmp:/usr/local/etc/go-away
+@allowed-users::::::
-@silently-rejected-users:*:32767:32767:Rejected!:/tmp:/bin/false

People in the 'allowed-users' netgroup will be permitted to log in
normally. People in the 'rejected-users' netgroup will be let in,
but their UID and GID will be remapped to 32767 and their shell will
be remapped to /usr/local/etc/go-away, which is a nastygram program
or script that tells them they aren't allowed on this system. Once the
program/shell terminates, they get tossed out on their ears. The
'silently-rejected-users' will be denied access outright. (The dummy
fields shouldn't be needed for minus entries, but it doesn't hurt
to be paranoid.) This permits administrators (like me :) to set up
access control for groups of NIS client machines.

My plan is to have the getpwent functions cache these special entries
so that they can be prepared to match usernames against them quickly.
The problem is generating the caches. I've thought of two ways to do it:

1) Do everything in getpwent.c: use the _PW_KEYBYNUM access method to scan
   through each line in the password database and weed out the special
   entries.

   Cons:
   - The advantage of having a hashed password database goes flying
     out the window.
   Pros:
   - Don't have to change anything except libc.
   - Since this feature would only be used when YP was turned on, and
     since when YP is turned on the local password database tends to be
     fairly small, the speed hit involved should be minimal.

2) Change pwd_mkdb to store special key/data pairs in the password databases
   if it finds special +@netgroup/-@netgroup entries in the raw master.passwd
   file. The getpwent routines can then extract the special entries directly.
   Some extra tags, _PW_PLUSBYNUM and _PW_MINUSBYNUM, would be needed.
   A _PW_HAVEPLUS and _PW_HAVEMINUS would be nice too, though I think I can
   get by without them.

   Cons:
   - Need to change more things: libc (getpwent.c), pwd.h and pwd_mkdb.
   Pros:
   - Overall, it should be much faster than a sequential search (and, as
     with the other method, the search is only done at all if YP is enabled).
   - Somehow it seems more elegant than the other solution. :)

On the one hand, I'd kind of like to restrict the changes to libc, since
that's where this stuff is supposed to go. On the other hand, it would
be a little silly not to use the database system.

I'm leaning towards solution #2 at the moment, but I want to find out if
other people think this is a good idea. Basically, I can't decide, so I'm
hoping for some strongly-voiced opinioms to sway me. :)

-Bill

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~T~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Bill Paul            (212) 854-6020 | System Manager
Work:         wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Møøse Illuminati: ignore it and be confused, or join it and be confusing!
~~~~~~~~ FreeBSD 2.1.0-Development #0: Tue Mar 14 11:11:25 EST 1995 ~~~~~~~~~



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503211957.OAA03653>