netbsd-bugs: lib/3710: new rsh does not work with NIS

Subject: lib/3710: new rsh does not work with NIS
To: None <gnats-bugs@gnats.netbsd.org>
From: Tatoku Ogaito <tacha@trap.fukui-med.ac.jp>
List: netbsd-bugs
Date: 06/05/1997 13:08:46
>Number:         3710
>Category:       lib
>Synopsis:       new rsh does not work with NIS
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun  4 21:20:00 1997
>Last-Modified:
>Originator:     Tatoku Ogaito
>Organization:
-----            : Tatoku Ogaito
   / _  _ _/ _   : Dept. Phys, Fukui Medical School
  / (_|(_ /)(_|  : E-mail: tacha@trap.fukui-med.ac.jp
>Release:        current as of 06/04/97
>Environment:
System: NetBSD tera.fukui-med.ac.jp 1.2E NetBSD 1.2E (TERA) #78: Wed Jun  4 11:22:21 JST 1997     root@tera.fukui-med.ac.jp:/usr/current/src/sys/arch/i386/compile/TERA i386

>Description:
	New rsh (and rcp),  which use new rshrcmd(3), does not work 
properly with NIS entries. The error message is

rsh: rshrcmd: setuid(0): Operation not permitted.

It looks like bug of getpwnam(3).  To make long story to short, 
current rsh(1) has following structure.

int main ()
{
	uid_t uid;
	struct passwd *pw;

	pw = getpwuid(uid=getuid());
	...
	rcmd(..., pw->pw_name, ...);
	...
}

In libc, rcmd and rshrcmed are implemented as, 

rcmd(..., locuser, ...)
	const char *locuser;
{
	...
	rshrcmd(..., locuser, ...);
	...
}

rshrcmd(..., locuser, ....)
	const char *locuser;
{
	....
	DEBUGprintf("%s\n", locuser);
	pw = getpwnam(locuser);
	DEBUGprintf("%s\n", locuser);
	....
	setuid(locuser);
	...
}

When passwd file includes +@netgroup entry, 
first DEBUGprintf shows invoked user name, but second one
does not match first one (In my case, it changed to "root").
So last setuid causes error.

I don't know whether this rsh (and rcp) implementation is 
*correct* or not, since getpwnam(3) manual entry says,

BUGS
     The functions getpwent(), getpwnam(), and getpwuid(), leave their results
     in an internal static object and return a pointer to that object. Subse-
     quent calls to the same function will modify the same object.


Note: You can reproduce this behavior with libc.so.12.5 
on NetBSD-1.2.1, too.

>How-To-Repeat:
	show above.
>Fix:
	I think getpwnam should be fixed, but it looks too difficult
for me :-) So here is an AD HOC fix for rshrcmd.

--- ./lib/libc/net/rcmd.c.orig	Tue May 27 20:24:33 1997
+++ ./lib/libc/net/rcmd.c	Wed Jun  4 20:55:51 1997
@@ -283,16 +283,21 @@
 	int sp[2], ep[2];
 	char *p;
 	struct passwd *pw;
+	char *keeplocuser;
 
 	/* What rsh/shell to use. */
 	if (rshcmd == NULL)
 		rshcmd = _PATH_BIN_RCMD;
 
+	/* copy original locuser */
+	keeplocuser=strdup(locuser);
+
 	/* locuser must exist on this host. */
-	if ((pw = getpwnam(locuser)) == NULL) {
+	if ((pw = getpwnam(keeplocuser)) == NULL) {
 		warnx("rshrcmd: unknown user: %s", locuser);
 		return(-1);
 	}
+	free(keeplocuser);
 
 	/* get a socketpair we'll use for stdin and stdout. */
 	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) {
>Audit-Trail:
>Unformatted: