Date: Fri, 31 May 1996 07:47:47 -0700 (PDT) From: Bill Paul <wpaul> To: CVS-committers, cvs-all, cvs-gnu Subject: cvs commit: src/gnu/usr.sbin/yppasswdd update.c yppasswdd.c Message-ID: <199605311447.HAA16358@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
wpaul 96/05/31 07:47:46 Branch: gnu/usr.sbin/yppasswdd RELENG_2_1_0 Modified: gnu/usr.sbin/yppasswdd update.c yppasswdd.c Log: Patch the -stable yppasswdd so that it doesn't try to call getpwnam(). The problem with doing this is that getpwnam() will process all the special inclusion and exclusion lines in /etc/master.passwd, including substitution. So, for example, if you have a line on your NIS master server that says: +@disallowed-users:::::::::/etc/nologin Then yppasswdd will end up with a user record that has /etc/nologin as a shell. This in turn will get propagated into /var/yp/master.passwd when an update is performed, and the user's shell will be changed to /etc/nologin, thus locking them out of the system. To fix this, yppasswdd now retrieves the user's master.passwd record directly from ypserv using a call to yp_match(). This bypasses all the inclusion/exclusion/substitution processing in getpwent(3). Note that rpc.yppasswdd in FreeBSD-current does not suffer from this problem: it digs directly into the map database files when searching for user records, which means it not only bypasses getpwent(3), it will also work even if your NIS master server isn't set up as an NIS client. I could have done something similar here, but that would have meant adding DB interface code which would have been much more complicated. Bug pointed out by: Tom Samplonius Revision Changes Path 1.3.4.2 +70 -0 src/gnu/usr.sbin/yppasswdd/Attic/update.c 1.3.4.2 +8 -1 src/gnu/usr.sbin/yppasswdd/Attic/yppasswdd.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605311447.HAA16358>