Date: Fri, 26 Oct 2001 12:01:41 +0100 From: Matthew Seaman <matthew.seaman@tornadogroup.com> To: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> Cc: AMAKAWA Shuhei <sa264@cam.ac.uk>, freebsd-stable@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: NIS/YP problems using pw(8) Message-ID: <3BD94295.24C7A9C@tornadogroup.com> References: <20011025205259.W1888-100000@klima.physik.uni-mainz.de>
next in thread | previous in thread | raw e-mail | index | archive | help
"Hartmann, O." wrote:
> But the automated creation of home directories still won't work with this
> configuration. Updating etc. of user passwords now works from the whole LAN.
> pw(8) creates the appropriate entries in master.passwd (NIS/YP type), but it
> does not create the home directory, as expected with the -m flag. Why? Does
> pw(8) need a master.passwd in /etc/??
I've seen that before. Passing the -V flag to pw(8) causes the PWALTDIR()
macro to evaluate to true, which disables certain operations to do with creating or deleting files and directories, in particular at
around line 747 of pw_user.c ($FreeBSD: src/usr.sbin/pw/pw_user.c,v 1.34.2.10 2001/10/15 13:46:09 dd Exp $) which is what you're
seeing.
I'd assumed that this was done for security reasons, but on reflection, it does seem a little draconian. Perhaps the test should be
that the alternate etcdir location is a directory which isn't writable by anyone other than root:
(Warning: untested code...)
claudette:...src/usr.sbin/pw:# diff -u pw.c.orig pw.c
--- pw.c.orig Fri Oct 26 10:34:50 2001
+++ pw.c Fri Oct 26 11:57:32 2001
@@ -34,6 +34,8 @@
#include <locale.h>
#include <paths.h>
#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include "pw.h"
#if !defined(_PATH_YP)
@@ -92,7 +94,7 @@
static int getindex(const char *words[], const char *word);
static void cmdhelp(int mode, int which);
-
+static int issecure(const char *etcpath);
int
main(int argc, char *argv[])
@@ -221,7 +223,9 @@
config = malloc(MAXPATHLEN);
snprintf(config, MAXPATHLEN, "%s/pw.conf", etcpath);
}
- memcpy(&PWF, &VPWF, sizeof PWF);
+ if (!issecure(etcpath) {
+ memcpy(&PWF, &VPWF, sizeof PWF);
+ }
setpwdir(etcpath);
setgrdir(etcpath);
}
@@ -448,4 +452,21 @@
ca->val = argstr;
LIST_INSERT_HEAD(_args, ca, list);
return ca;
+}
+
+static int
+issecure(const char *etcpath)
+{
+ struct stat stat_buf;
+ int ret;
+ int rc = 0;
+
+ ret = lstat(etcpath, &stat_buf);
+ if (ret == 0 && \
+ stat_buf.st_uid == 0 && \
+ S_ISDIR(stat_buf.st_mode) && \
+ (stat_buf.st_mode & (S_IWGRP|S_IWOTH)) == 0) {
+ rc = 1;
+ }
+ return rc;
}
Matthew
--
Matthew Seaman 01628 498661
Abeo, abeo, abeo, actum est, comites!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BD94295.24C7A9C>