netbsd-bugs: bin/31956: Makefile.yp: shadow.byname map should respect MINUID

Subject: bin/31956: Makefile.yp: shadow.byname map should respect MINUID
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <andrew.daugherity@gmail.com>
List: netbsd-bugs
Date: 10/31/2005 09:17:00

>Number:         31956
>Category:       bin
>Synopsis:       Makefile.yp: shadow.byname map should respect MINUID
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 31 09:17:00 +0000 2005
>Originator:     Andrew Daugherity
>Release:        2.0.2
>Organization:
>Environment:
NetBSD argonath 2.0.2 NetBSD 2.0.2 (ARGONATH) #4: Wed Oct 12 04:08:38 CDT 2005  andrew@argonath:/usr/src/sys/arch/i386/compile/ARGONATH i386

>Description:
When the shadow map is enabled in /var/yp/`domainname`/Makefile, it contains entries for all accounts (including root), regardless of the setting of MINUID in the Makefile.  If configured, the MINUID setting should apply to both the passwd map and the shadow map, to prevent root's encrypted passwd from being accessible by clients (cf. pr #5999).
>How-To-Repeat:
(Assuming ypserv is already configured...)
-Enable the shadow map by adding "shadow" to the "all:" rule in /var/yp/`domainname`/Makefile.  
-Also set MINUID=1000 (or any value > 0) in this file and re-run make.
-Observe that the generated shadow.byname map contains entries for all accounts, not just those >= MINUID.
>Fix:
This patch simply adapts the MINUID logic in the passwd.time rule to shadow.time.


Index: Makefile.yp
===================================================================
RCS file: /cvsroot/src/usr.sbin/ypserv/ypinit/Makefile.yp,v
retrieving revision 1.20
diff -u -r1.20 Makefile.yp
--- Makefile.yp 29 Dec 2004 13:08:24 -0000      1.20
+++ Makefile.yp 31 Oct 2005 08:43:25 -0000
@@ -138,9 +138,11 @@
 shadow.time: ${DIR}/master.passwd
        -@if [ -f ${.ALLSRC} ]; then \
                umask 077 ; \
-               ${CAT} ${.ALLSRC} | ${CUT} -d: -f1-2 | \
-               ${AWK} 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \
-               { print $$1, $$0":10779:0:99999:7:::" }' - | \
+               ${CAT} ${.ALLSRC} | ${CUT} -d: -f1-3 | \
+               ${AWK} -v minuid=${MINUID} \
+               'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \
+               { if (minuid <= $$3) \
+               print $$1, $$1":"$$2":10779:0:99999:7:::" }' - | \
                ${SORT} | ${MAKEDBM_S} - shadow.byname; \
                ${TOUCH} ${.TARGET}; \
                ${ECHO} "updated shadow"; \