Date: Wed, 16 Mar 2022 05:12:49 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Yasuhiro Kimura <yasu@FreeBSD.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: getnetgrent(3) fails to parse long netgroup entry if it is stored in NIS Message-ID: <YT2PR01MB9730984331ED290D85ADFE4DDD119@YT2PR01MB9730.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20220316.014814.1921859297745365117.yasu@FreeBSD.org> References: <20220316.014814.1921859297745365117.yasu@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh, and you can have netgroups in netgroups, so you can
do something like...
net0 net1,net2
net1 (host1,,),(host2,,)
net2 (host3,,),(host4,,)
then net0 has all 4 hosts in it.
I think you need to break the large netgroup up into sub netgroups
where each one is <=3D 1024 bytes long.
rick
________________________________________
From: owner-freebsd-current@freebsd.org <owner-freebsd-current@freebsd.org>=
on behalf of Yasuhiro Kimura <yasu@FreeBSD.org>
Sent: Tuesday, March 15, 2022 12:48 PM
To: freebsd-current@freebsd.org
Subject: getnetgrent(3) fails to parse long netgroup entry if it is stored =
in NIS
CAUTION: This email originated from outside of the University of Guelph. Do=
not click links or open attachments unless you recognize the sender and kn=
ow the content is safe. If in doubt, forward suspicious emails to IThelp@uo=
guelph.ca
Hello,
I use netgroup stored in NIS database to control access to NFS server.
Recently I added some hosts to netgroup that access to NFS server is
permitted. And after that mountd(8) writes such messages as following
to syslog.
Mar 15 17:16:59 server mountd[4276]: can't get address info for host host34=
.nfs.
Mar 15 17:16:59 server mountd[4276]: bad host host34.nfs. in netgroup permi=
tted_nfs_clients, skipping
The netgroup entry used to control access to NFS server includes a lot
of host such as following
----------------------------------------------------------------------
yasu@server[1002]% ypmatch -k permitted_nfs_clients netgroup
permitted_nfs_clients: (host01.nfs.example.com,,) (ho=
st02.nfs.example.com,,) (host03.nfs.example.com,,) =
(host04.nfs.example.com,,) (host05.nf=
s.example.com,,) (host06.nfs.example.com,,) =
(host07.nfs.example.com,,) (host08.nfs.example=
.com,,) (host09.nfs.example.com,,) =
(host10.nfs.example.com,,) (host11.nfs.example.com,,=
) (host12.nfs.example.com,,) (host1=
3.nfs.example.com,,) (host14.nfs.example.com,,) =
(host15.nfs.example.com,,) (host16.nfs.=
example.com,,) (host17.nfs.example.com,,) =
(host18.nfs.example.com,,) (host19.nfs.example=
.com,,) (host20.nfs.example.com,,) =
(host21.nfs.example.com,,) (host22.nfs.example.com,,)=
(host23.nfs.example.com,,) (host2=
4.nfs.example.com,,) (host25.nfs.example.com,,) =
(host26.nfs.example.com,,) (host27.nfs.e=
xample.com,,) (host28.nfs.example.com,,) =
(host29.nfs.example.com,,) (host30.nfs.example.=
com,,) (host31.nfs.example.com,,) =
(host32.nfs.example.com,,) (host33.nfs.example.com,,) =
(host34.nfs.example.com,,) (host35=
.nfs.example.com,,) (host36.nfs.example.com,,) =
(host37.nfs.example.com,,) (host38.nfs.exam=
ple.com,,) (host39.nfs.example.com,,) =
(host40.nfs.example.com,,) (host41.nfs.example.co=
m,,) (host42.nfs.example.com,,) (ho=
st43.nfs.example.com,,) (host44.nfs.example.com,,) =
(host45.nfs.example.com,,) (host46.n=
fs.example.com,,) (host47.nfs.example.com,,) =
(host48.nfs.example.com,,) (host49.nfs.exam=
ple.com,,) (host50.nfs.example.com,,)
yasu@server[1054]%
----------------------------------------------------------------------
And if I remove host34.nfs.example.com from permitted_nfs_clients,
then syslog messages of mountd(1) changes as following.
Mar 15 17:16:59 server mountd[4276]: can't get address info for host host35=
.nfs.
Mar 15 17:16:59 server mountd[4276]: bad host host35.nfs. in netgroup permi=
tted_nfs_clients, skipping
It seems to stop parsing the value of the netgroup entry in its middle
if the length is longer than a certain value.
I checked usr.sbin/mountd/mountd.c and found it uses getnetgrent(3) to
parse the value of netgroup entry. So I wrote following program to
check its behavior.
----------------------------------------------------------------------
yasu@server[1152]% cat list_netgroup_entry.c
#include <stdio.h>
#include <libgen.h>
#include <netdb.h>
int
main(int argc, char **argv)
{
if (argc !=3D 2) {
fprintf(stderr, "Usage: %s NameOfNetgroup\n", basename(argv[0]));
return 1;
}
setnetgrent(argv[1]);
printf("netgroup: %s\n", argv[1]);
char *host, *user, *domain;
while (getnetgrent(&host, &user, &domain))
printf("\thost: %s, user: %s, domain: %s\n", host, user, domain);
endnetgrent();
return 0;
}
yasu@server[1152]%
----------------------------------------------------------------------
If netgroup entry is stored in /etc/netgroup, then the value is parsed
properly.
----------------------------------------------------------------------
yasu@server[1061]% cat /etc/netgroup
very_long_file_entry (host1.long.long.long.example.com,,) \
(host2.long.long.long.example.com,,) \
(host3.long.long.long.example.com,,) \
(host4.long.long.long.example.com,,) \
(host5.long.long.long.example.com,,) \
(host6.long.long.long.example.com,,) \
(host7.long.long.long.example.com,,) \
(host8.long.long.long.example.com,,) \
(host9.long.long.long.example.com,,) \
(host10.long.long.long.example.com,,) \
(host11.long.long.long.example.com,,) \
(host12.long.long.long.example.com,,) \
(host13.long.long.long.example.com,,) \
(host14.long.long.long.example.com,,) \
(host15.long.long.long.example.com,,) \
(host16.long.long.long.example.com,,) \
(host17.long.long.long.example.com,,) \
(host18.long.long.long.example.com,,) \
(host19.long.long.long.example.com,,) \
(host20.long.long.long.example.com,,) \
(host21.long.long.long.example.com,,) \
(host22.long.long.long.example.com,,) \
(host23.long.long.long.example.com,,) \
(host24.long.long.long.example.com,,) \
(host25.long.long.long.example.com,,) \
(host26.long.long.long.example.com,,) \
(host27.long.long.long.example.com,,) \
(host28.long.long.long.example.com,,) \
(host29.long.long.long.example.com,,) \
(host30.long.long.long.example.com,,)
+
yasu@server[1062]% ./list_netgroup_entry very_long_file_entry
netgroup: very_long_file_entry
host: host30.long.long.long.example.com, user: , domain:
host: host29.long.long.long.example.com, user: , domain:
host: host28.long.long.long.example.com, user: , domain:
host: host27.long.long.long.example.com, user: , domain:
host: host26.long.long.long.example.com, user: , domain:
host: host25.long.long.long.example.com, user: , domain:
host: host24.long.long.long.example.com, user: , domain:
host: host23.long.long.long.example.com, user: , domain:
host: host22.long.long.long.example.com, user: , domain:
host: host21.long.long.long.example.com, user: , domain:
host: host20.long.long.long.example.com, user: , domain:
host: host19.long.long.long.example.com, user: , domain:
host: host18.long.long.long.example.com, user: , domain:
host: host17.long.long.long.example.com, user: , domain:
host: host16.long.long.long.example.com, user: , domain:
host: host15.long.long.long.example.com, user: , domain:
host: host14.long.long.long.example.com, user: , domain:
host: host13.long.long.long.example.com, user: , domain:
host: host12.long.long.long.example.com, user: , domain:
host: host11.long.long.long.example.com, user: , domain:
host: host10.long.long.long.example.com, user: , domain:
host: host9.long.long.long.example.com, user: , domain:
host: host8.long.long.long.example.com, user: , domain:
host: host7.long.long.long.example.com, user: , domain:
host: host6.long.long.long.example.com, user: , domain:
host: host5.long.long.long.example.com, user: , domain:
host: host4.long.long.long.example.com, user: , domain:
host: host3.long.long.long.example.com, user: , domain:
host: host2.long.long.long.example.com, user: , domain:
host: host1.long.long.long.example.com, user: , domain:
yasu@server[1063]%
----------------------------------------------------------------------
But if it is stored in NIS database, then parsing stops at the middle
of it.
----------------------------------------------------------------------
yasu@server[1063]% ypmatch -k very_long_nis_entry netgroup
very_long_nis_entry: (host1.long.long.long.example.com,,) =
(host2.long.long.long.example.com,,) (host3.long.long.long.example.co=
m,,) (host4.long.long.long.example.com,,) =
(host5.long.long.long.example.com,,) (host6.long.lo=
ng.long.example.com,,) (host7.long.long.long.example.com=
,,) (host8.long.long.long.example.com,,) =
(host9.long.long.long.example.com,,) (host10.long.long=
.long.example.com,,) (host11.long.long.long.example.com,,=
) (host12.long.long.long.example.com,,) =
(host13.long.long.long.example.com,,) (host14.long.long.long.example.com,,)=
(host15.long.long.long.example.com,,) =
(host16.long.long.long.example.com,,) (host17.long.long.l=
ong.example.com,,) (host18.long.long.long.example.com,,) =
(host19.long.long.long.example.com,,) (h=
ost20.long.long.long.example.com,,) (host21.long.long.long=
.example.com,,) (host22.long.long.long.example.com,,) =
(host23.long.long.long.example.com,,) (host=
24.long.long.long.example.com,,) (host25.long.long.long.example.com,,) =
(host26.long.long.long.example.com,,) (hos=
t27.long.long.long.example.com,,) (host28.long.long.long.e=
xample.com,,) (host29.long.long.long.example.com,,) =
(host30.long.long.long.example.com,,)
yasu@server[1064]% ./list_netgroup_entry very_long_nis_entry
netgroup: very_long_nis_entry
host: host25.long.long.long.examp, user: , domain:
host: host24.long.long.long.example.com, user: , domain:
host: host23.long.long.long.example.com, user: , domain:
host: host22.long.long.long.example.com, user: , domain:
host: host21.long.long.long.example.com, user: , domain:
host: host20.long.long.long.example.com, user: , domain:
host: host19.long.long.long.example.com, user: , domain:
host: host18.long.long.long.example.com, user: , domain:
host: host17.long.long.long.example.com, user: , domain:
host: host16.long.long.long.example.com, user: , domain:
host: host15.long.long.long.example.com, user: , domain:
host: host14.long.long.long.example.com, user: , domain:
host: host13.long.long.long.example.com, user: , domain:
host: host12.long.long.long.example.com, user: , domain:
host: host11.long.long.long.example.com, user: , domain:
host: host10.long.long.long.example.com, user: , domain:
host: host9.long.long.long.example.com, user: , domain:
host: host8.long.long.long.example.com, user: , domain:
host: host7.long.long.long.example.com, user: , domain:
host: host6.long.long.long.example.com, user: , domain:
host: host5.long.long.long.example.com, user: , domain:
host: host4.long.long.long.example.com, user: , domain:
host: host3.long.long.long.example.com, user: , domain:
host: host2.long.long.long.example.com, user: , domain:
host: host1.long.long.long.example.com, user: , domain:
yasu@server[1065]%
----------------------------------------------------------------------
So it seems getnetgrent(3) fails to parse long netgroup entry if it is
stored in NIS.
---
Yasuhiro Kimura
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YT2PR01MB9730984331ED290D85ADFE4DDD119>