Subject: Re: proposed changes to /etc/security
To: Todd Vierling , Matthew Jacob <>
From: Martin J. Laubach <>
List: tech-security
Date: 07/25/1998 22:43:08
| I don't think we support YP uid/gid remapping or absence of the "*" invalid
| password.  Correct me if I'm wrong, please; I only use the default setup,
| but I am interested in as strict a setup for this.

  I don't know whether it actually works, but it is mentioned in
the passwd(5) manpage.

: If YP is active, the passwd file also supports standard YP exclusions and
: inclusions, based on user names and netgroups.
: Lines beginning with a ``-'' (minus sign) are entries marked as being ex-
: cluded from any following inclusions, which are marked with a ``+'' (plus
: sign).
: If the second character of the line is a ``@'' (at sign), the operation
: involves the user fields of all entries in the netgroup specified by the
: remaining characters of the name field.  Otherwise, the remainder of the
: name field is assumed to be a specific user name.
: The ``+'' token may also be alone in the name field, which causes all
: users from the passwd.byname and passwd.byuid YP maps to be included.
: If the entry contains non-empty uid or gid fields, the specified numbers
: will override the information retrieved from the YP maps. As well, if the
: gecos, dir or shell entries contain text, it will override the informa-
: tion included via YP.  On some systems, the passwd field may also be
: overridden.

  I'd also suggest that the function to ignore lines that looks like
they belong to YP only kicks in when one is actually using NIS (ie.
ypbind=YES), and spits out a warning otherwise ("YP-Style entry found
in /etc/passwd, but YP not active" or such).