Date: Mon, 5 Jun 1995 22:56:24 -0400 (EDT) From: "House of Debuggin'" <wpaul@skynet.ctr.columbia.edu> To: wilcox@math.psu.edu (Ken Wilcox) Cc: bugs@FreeBSD.org Subject: Re: bug in NIS/passwd Message-ID: <199506060256.WAA02120@skynet.ctr.columbia.edu> In-Reply-To: <199506051547.LAA07081@napier.math.psu.edu> from "Ken Wilcox" at Jun 5, 95 11:47:10 am
next in thread | previous in thread | raw e-mail | index | archive | help
They say this Ken Wilcox person was kidding when he wrote:
>
> I don't know which one it is in, but I will explain the problem.
> We have a group of suns that are all configured alike and running NIS, etc.
> I got freebsd and loaded it up with yp and amd to run just as our suns do and
> it works nice except for one problem. This is how we do restrictions on logins.
>
> /etc/passwd
> +@staff::0:0:::
> +::65534:65534:::/usr/new/misc/message
I use similar access restrictions, though I tend to specify everything
interms of netgroups.
> When I try to do this on my bsd machine, everyones shell is
> /usr/new/misc/message and it looks like it just totally disregarded the staff
> line.
Well, you didn't say exactly what version of FreeBSD you're running. If
it's 2.0-RELEASE, then I'm not even going to speculate what the problem
is: there are too many to count. For one thing, netgroup overrides didn't
even work.
2.0.5A is a lot better. The netgroup overrides do work, and even
group overrides are possible (if netgroup 'foo' doesn't exist, then
the library will try to match +@foo against regular group 'foo'
instead).
Anyway, here's how the stuff should work:
> +@staff::0:0:::
I think the /etc/master.passwd equivalent of this is +@staff:::::::::.
This allows users in netgroup 'staff' into the system with no overrides.
I'm guessing that this is what you want. If you replace the UID and GID
fields in /etc/master.passwd with '0', then the 'staff' netgroup will
have their UIDs and GIDs remappped to 0, thus turning them into superusers.
This is handy, but not necessarily desirable.
> +::65534:65534:::/usr/new/misc/message
This line should affect everyone who isn't in the 'staff' netgroup
(the rule is that the first match wins -- those who don't match 'staff'
fall through to the next entry). It should be expressed in
/etc/master.passwd as +::65534:65534::::::/usr/new/misc/messages.
What it should do is remap everyone's UID and GID to 65534 and their
shell to /usr/new/misc/message.
The end result is that users in the 'staff' netgroup should be able to
log in, while everybody else should get the /usr/new/misc/messages
treatment. This is exactly the behavior that 2.0.5 should exhibit.
> It makes no difference where you put the line either. Has anyone
> experienced this problem?
>
> -Ken Wilcox
>
Well, again, you didn't say what version of FreeBSD you're running.
In FreeBSD 2.0-RELEASE, the +@staff:::::::: line would be ignored
since netgroup overrides weren't supported in that release. Basically,
the second line would be applied to everyone. I think this is the
problem you're describing.
With 2.0.5, this should work correctly: assuming you have an /etc/netgroup
file with a '+' in it, the +@netgroup/-@netgroup overrides will be
properly evaluated and 'staff' will be granted access while everyone
else will get booted out.
Be warned that 2.0.5A has a subtle bug in it that will wreck shell
substitutions ("And the Lord Elvis spake unto me: 'Yea, thou shalt
return only pointers to static buffers lest thine dynamic storage be
free()ed out from under thine ass, and thy stack be corrupted.'"). A
patch has already been submitted and applied to fix this, so everything
should work in 2.0.5-BETA and 2.0.5-RELEASE.
If you are running 2.0-RELEASE, my suggestion is to upgrade. If you
don't want to upgrade, your only alternative is to patch libc: you
need new copies of getpwent.c, getgrent.c and getnetgrent.c. Replacing
rcmd.c might be a good idea too.
-Bill
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~T~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Bill Paul (212) 854-6020 | System Manager
Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Møøse Illuminati: ignore it and be confused, or join it and be confusing!
~~~~~~~~~ FreeBSD 2.1: "We can kick your operating system's ass!" ~~~~~~~~~~
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506060256.WAA02120>