From nobody@FreeBSD.org  Thu May 24 23:47:25 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5889E16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 May 2007 23:47:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 489CA13C447
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 May 2007 23:47:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4ONlPTB031240
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 24 May 2007 23:47:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4ONlP3L031238;
	Thu, 24 May 2007 23:47:25 GMT
	(envelope-from nobody)
Message-Id: <200705242347.l4ONlP3L031238@www.freebsd.org>
Date: Thu, 24 May 2007 23:47:25 GMT
From: "A. Blake Cooper"<blake@cluebie.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] add netgroup support back to pam_login_access
X-Send-Pr-Version: www-3.0

>Number:         112955
>Category:       bin
>Synopsis:       [patch] login(1): add netgroup support back to pam_login_access
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 24 23:50:03 GMT 2007
>Closed-Date:    Tue Mar 01 10:14:57 EST 2011
>Last-Modified:  Tue Mar 01 10:14:57 EST 2011
>Originator:     A. Blake Cooper
>Release:        6.2
>Organization:
>Environment:
FreeBSD xxx.com 6.2-STABLE FreeBSD 6.2-STABLE #1: Thu Feb  8 16:32:51 EST 2007     fred@xxx.com:/usr/src/sys/amd64/compile/XXX_COM  amd64

>Description:
netgroup use in /etc/login.access(pam_login_access) has been broken since 5.0.  Support was removed in rev. 1.5 of src/usr.bin/login/Attic/login_access.c .  The comments don't directly state the reason for removal and /etc/login.access still lists '@netgroup' as a valid format for NIS netgroups.
>How-To-Repeat:

>Fix:
Attached is a patch that adds the netgroup support to pam_login_access.  Based on  src/lib/libpam/modules/pam_login_access/login_access.c rev 1.12.

Patch attached with submission follows:

--- /usr/src/lib/libpam/modules/pam_login_access/login_access.c	Fri Mar  5 03:10:18 2004
+++ ./pam_login_access/login_access.c	Tue Mar 13 00:36:38 2007
@@ -16,6 +16,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_login_access/login_access.c,v 1.12 2004/03/05 08:10:18 markm Exp $");
 
+#include <sys/param.h>
 #include <sys/types.h>
 #include <ctype.h>
 #include <errno.h>
@@ -146,8 +147,14 @@
 netgroup_match(const char *group __unused,
     const char *machine __unused, const char *user __unused)
 {
-    syslog(LOG_ERR, "NIS netgroup support not configured");
-    return 0;
+	char yp_domain[MAXHOSTNAMELEN];
+
+	if (getdomainname(yp_domain, MAXHOSTNAMELEN) || strlen(yp_domain) == 0) {
+		syslog(LOG_ERR, "NIS netgroup support cannot obtain domainname of this machine.");
+		return (NO);
+	}
+
+    return (innetgr(group, machine, user, yp_domain));
 }
 
 /* user_match - match a username against one token */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri May 25 00:26:05 UTC 2007 
Responsible-Changed-Why:  
des, markm did the original commit, but since you grok pam, can you comment 
on this one?  I have no domain knowledge here. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112955 
State-Changed-From-To: open->patched 
State-Changed-By: des 
State-Changed-When: Fri May 25 07:53:59 UTC 2007 
State-Changed-Why:  
Patch committed, awaiting MFC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112955 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112955: commit references a PR
Date: Fri, 25 May 2007 07:50:25 +0000 (UTC)

 des         2007-05-25 07:50:18 UTC
 
   FreeBSD src repository
 
   Modified files:
     lib/libpam/modules/pam_login_access login_access.c 
   Log:
   Re-add support for NIS netgroups (heavily modified from patch in PR)
   
   PR:             bin/112955
   Submitted by:   A. Blake Cooper <blake@cluebie.net>
   MFC after:      3 weeks
   
   Revision  Changes    Path
   1.13      +22 -4     src/lib/libpam/modules/pam_login_access/login_access.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/112955: [patch] login(1): add netgroup support back to
 pam_login_access
Date: Sun, 1 Jun 2008 17:28:26 +0100 (BST)

 This was patched in HEAD before 7.0 was forked, with a plan to MFC after 
 three weeks, although it has not yet been MFC'd to 6.x.
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Tue Mar 1 10:14:56 EST 2011 
State-Changed-Why:  
This PR is fixed in head, 8.x and 7.x, but will not be merged to 6.x now 
that that branch is unsupported, sorry 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112955 
>Unformatted:
