From nobody@FreeBSD.org  Sun Mar  3 01:16:31 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0BA6B37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  3 Mar 2002 01:16:30 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g239GT211722;
	Sun, 3 Mar 2002 01:16:29 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200203030916.g239GT211722@freefall.freebsd.org>
Date: Sun, 3 Mar 2002 01:16:29 -0800 (PST)
From: Martin Butkus <m.butkus@tu-bs.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: innetgr() doesn't match wildcard fields in NIS-only mode
X-Send-Pr-Version: www-1.0

>Number:         35506
>Category:       kern
>Synopsis:       [libc] innetgr() doesn't match wildcard fields in NIS-only mode
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    jon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 03 01:20:01 PST 2002
>Closed-Date:    Sat Mar 01 20:02:26 UTC 2008
>Last-Modified:  Sat Mar 01 20:02:26 UTC 2008
>Originator:     Martin Butkus
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
Technical University Braunschweig, Germany
>Environment:
FreeBSD mufasa.thgwf.de 4.5-STABLE FreeBSD 4.5-STABLE #2: Wed Feb 20 23:23:10 CET 2002     root.mb@mufasa.thgwf.de:/usr/obj/usr/src/sys/MUFASA  i386

>Description:
innetgr() has code to speed up lookup of netgroup entries when
netgroups are served exclusively via NIS (i.e. no local netgroups
defined in /etc/netgroup).

This code does not honor wildcard entries. For example, 
according to netgroup(5), a netgroup like this should 
match any (host, user, domain) combination:

FOO (,,)

However, innetgr() yields a zero exit status when no local 
netgroups are defined. In the presence of at least one local
netgroup, it yields an exit status of one (the correct behaviour).

This bug affects both login(1) and ssh(1) since both use 
innetgr() for access control. It is therefore very annoying when 
you try to use NIS-based netgroups for centralized access control 
as described in the FreeBSD Handbook (i.e. entries of the form 
"+@NETGROUP" in master.passwd).

>How-To-Repeat:
This is the NIS netgroup file that I use:

root@mufasa /var/yp # cat netgroup
FOO (,,)

This C programm will yield "0 0 0" when there is no 
local /etc/netgroup file present:

--- snip --
#include <stdio.h>
#include <netdb.h>

main () {
	int i;

	i = innetgr("FOO","foo",NULL,"bar");
	printf("%d ",i);
	i = innetgr("FOO",NULL,"foo","bar");
	printf("%d ",i);
	i = innetgr("FOO",NULL,NULL,"bar");
	printf("%d\n",i);
}
--- snap --

However, when a local netgroup file like this is present:

root@mufasa /etc # cat netgroup
BAR	(,,)
+

then the result is "1 1 1" (as expected). The local netgroup 
file needs to have at least one entry besides "+".

>Fix:
Unfortunately I do not understand the NIS-only code in innetgr()
quite well. From my understanding, it doesn't seem to take
wildcard entries into account at all.

A possible but ugly workaround would be to always create a local 
netgroups file that contains at least one local netgroup besides 
the "+" entry, thus bypassing said code. 

Another possibility would be to rip out the NIS speedup code
completely.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jon 
Responsible-Changed-By: jon 
Responsible-Changed-When: Fri Jul 22 19:52:50 GMT 2005 
Responsible-Changed-Why:  
fix is in the works 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35506 
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Sat Nov 17 06:59:36 UTC 2007 
State-Changed-Why:  

Was this ever fixed? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35506 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sat Mar 1 20:01:51 UTC 2008 
State-Changed-Why:  
Apparently fixed quite some time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35506 
>Unformatted:

Yes, fixed in src/lib/libc/gen/getnetgrent.c 1.34, MFCed to RELENG4,5,6.
  
Thanks for catching this, I should have stuck this into feedback years ago.  :)

