netbsd-bugs: bin/23804: /etc/security does not support NIS NetGroups (patch included)

Subject: bin/23804: /etc/security does not support NIS NetGroups (patch included)
To: None <gnats-bugs@gnats.netbsd.org>
From: None <l.barnaba@OpenSSL.IT>
List: netbsd-bugs
Date: 12/20/2003 08:59:32

>Number:         23804
>Category:       bin
>Synopsis:       /etc/security does not recognize NIS NetGroups entries in /etc/master.passwd and treats them as invalid passwd entries.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Dec 20 08:00:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Marcello Barnaba
>Release:        NetBSD 1.6ZC
>Organization:
OpenSSL.IT
>Environment:
/etc/security version: $NetBSD: security,v 1.84 2003/10/01 04:29:03 jhawk Exp $
System: NetBSD starfleet.openssl.thc 1.6ZC NetBSD 1.6ZC (STARFLEET-$Revision: 1.158 $) #1: Tue Oct 7 08:05:50 CEST 2003 root@starfleet.openssl.thc:/usr/src/sys/arch/macppc/compile/obj.macppc/STARFLEET macppc
Architecture: powerpc
Machine: macppc
>Description:
	NIS NetGroups are a facility that makes possible to choose which accounts are to
	be imported from a NIS server, instead of pulling them all.

	The syntax of a netgroup line is similar to this:

	+@STARFLEET:::::::::

	/etc/security correctly recognizes standard NIS lines (like +:*::::::::/sbin/nologin),
	but doesn't know how to deal with NetGroup lines:


	Checking the /etc/master.passwd file:
	Login +@STARFLEET has non-alphanumeric characters.
	Login +@STARFLEET has more than 8 characters.
	Login +@STARFLEET has no password.
	Login +@STARFLEET does not have a valid shell ()
	Login +@STARFLEET has a negative user id.
	Login +@STARFLEET has a negative group id.
		
>How-To-Repeat:
	Simply include a NetGroup line into your /etc/master.passwd with vipw, and wait for the
	daily security check.
>Fix:
	The following patch will make sure that NetGroups lines are treated like standard NIS ones,
	enforcing the uid 0 check on the third field:

--- security.orig	2003-12-20 08:30:23.000000000 +0100
+++ security	2003-12-20 08:32:19.000000000 +0100
@@ -202,7 +202,7 @@
 		}
 		if (NF != 10 && ($1 != "+" || NF != 1))
 			printf "Line %d has the wrong number of fields.\n", NR;
-		if ($1 == "+" )  {
+		if ($1 == "+" || $1 ~ /^+@/)  {
 			if (NF != 1 && $3 == 0)
 			    printf "Line %d includes entries with uid 0.\n",
 			        NR;

>Release-Note:
>Audit-Trail:
>Unformatted: