Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Mar 1995 15:33:22 -0800 (PST)
From:      Bill Paul <wpaul>
To:        gibbs@estienne.CS.Berkeley.EDU (Justin T. Gibbs)
Cc:        CVS-commiters@freefall.cdrom.com, cvs-usrsbin@freefall.cdrom.com
Subject:   Re: cvs commit: src/usr.sbin/pwd_mkdb pwd_mkdb.c
Message-ID:  <199503232333.PAA25704@freefall.cdrom.com>
In-Reply-To: <199503232306.PAA05554@estienne.cs.berkeley.edu> from "Justin T. Gibbs" at Mar 23, 95 03:06:58 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> This is also the way the @netgroup/-@netgroup NIS feature is used at TCS,
> but it seems the netgroup file has some braindead limits (both characters
> per netgroup, 128, and number of netgroups) under HP-UX and ULTRIX so we 
> have some nasty perl script that splits up the mass of users we want to
> deny, 2000 in all, into a series of netgroups that works.  This all seems 
> such a waste since our group file is already handled by NIS and the same 
> effort would have taken five +something entries in the passwd file.  In 
> the past, we've used the netgroup file for lists of machines, not users...

I use them for both, and I've also bumped into the limitations, though
I have fewer users than you do so it hasn't started to really annoy me yet.
One thing that does annoy me is that while most of IRIX honors the
+@netgroup/-@netgroup restrictions, the graphical console login screen
doesn't (up to IRIX 5.2 at least -- haven't installed 5.3 yet). Every so
often, an unauthorized user will log in on one of the SGI consoles, get
partway in, then discover that they can't get out again, forcing me to
come along and blow them off the system so that other people can use the
console again. Bah.

> >The main problem I see in implementing group remapping would be that I'd need
> >yet another magic symbol (+ for just username remapping, +@ for netgroup
> >remapping and something else to represent plain group remapping), and
> >I'd have to modify pwd_mkdb, pwd.h and the cacheing function in getpwent.c
> >some more. This isn't that tough to do, but it would be very non-standard.
> >(The +user/-user stuff is also non-standard, but I kept it for backwards
> >compatibility.)
> 
> Would it be too gross to simply check the group map if we don't get a hit
> for a +@ entry in the netgroup file?

Hurm. Good question. Let me think... That might work. The only problem
is that if you have a group and netgroup with the same name, the netgroup
would necessarily take precedence. That could be confusing. On the other
hand, I would only have to change the _createcaches() function in getpwent.c
to make it work. Let me play with this after I get home tonight and if
I can do it without slowing things down too much, I'll toss it in.

Of course, if anyone can think of a good reason not to do it this
way, speak now.

> --
> Justin T. Gibbs
> ==============================================
> TCS Instructional Group - Programmer/Analyst 1
>   Cory | Po | Danube | Volga | Parker | Torus
> ==============================================
> 

-Bill



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503232333.PAA25704>