Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 May 2007 23:47:25 GMT
From:      "A. Blake Cooper"<blake@cluebie.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/112955: [patch] add netgroup support back to pam_login_access
Message-ID:  <200705242347.l4ONlP3L031238@www.freebsd.org>
Resent-Message-ID: <200705242350.l4ONo3E8043462@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         112955
>Category:       misc
>Synopsis:       [patch] add netgroup support back to pam_login_access
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 24 23:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     A. Blake Cooper
>Release:        6.2
>Organization:
>Environment:
FreeBSD xxx.com 6.2-STABLE FreeBSD 6.2-STABLE #1: Thu Feb  8 16:32:51 EST 2007     fred@xxx.com:/usr/src/sys/amd64/compile/XXX_COM  amd64

>Description:
netgroup use in /etc/login.access(pam_login_access) has been broken since 5.0.  Support was removed in rev. 1.5 of src/usr.bin/login/Attic/login_access.c .  The comments don't directly state the reason for removal and /etc/login.access still lists '@netgroup' as a valid format for NIS netgroups.
>How-To-Repeat:

>Fix:
Attached is a patch that adds the netgroup support to pam_login_access.  Based on  src/lib/libpam/modules/pam_login_access/login_access.c rev 1.12.

Patch attached with submission follows:

--- /usr/src/lib/libpam/modules/pam_login_access/login_access.c	Fri Mar  5 03:10:18 2004
+++ ./pam_login_access/login_access.c	Tue Mar 13 00:36:38 2007
@@ -16,6 +16,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_login_access/login_access.c,v 1.12 2004/03/05 08:10:18 markm Exp $");
 
+#include <sys/param.h>
 #include <sys/types.h>
 #include <ctype.h>
 #include <errno.h>
@@ -146,8 +147,14 @@
 netgroup_match(const char *group __unused,
     const char *machine __unused, const char *user __unused)
 {
-    syslog(LOG_ERR, "NIS netgroup support not configured");
-    return 0;
+	char yp_domain[MAXHOSTNAMELEN];
+
+	if (getdomainname(yp_domain, MAXHOSTNAMELEN) || strlen(yp_domain) == 0) {
+		syslog(LOG_ERR, "NIS netgroup support cannot obtain domainname of this machine.");
+		return (NO);
+	}
+
+    return (innetgr(group, machine, user, yp_domain));
 }
 
 /* user_match - match a username against one token */


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705242347.l4ONlP3L031238>