netbsd-bugs: bin/33138: /etc/security doesn't like nontrivial compat entries

Subject: bin/33138: /etc/security doesn't like nontrivial compat entries
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <dholland@eecs.harvard.edu>
List: netbsd-bugs
Date: 03/24/2006 03:45:00
>Number:         33138
>Category:       bin
>Synopsis:       /etc/security doesn't like nontrivial compat entries
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 24 03:45:00 +0000 2006
>Originator:     David A. Holland
>Release:        NetBSD 3.0_STABLE (20060310)
>Environment:
System: NetBSD rhett 3.0_STABLE NetBSD 3.0_STABLE (RHETT) #0: Fri Mar 10 23:37:46 EST 2006  dholland@rhett:/usr/src/sys/arch/i386/compile/RHETT i386
Architecture: i386
Machine: i386
>Description:
NIS compat entries that in /etc/master.passwd that include usernames
cause /etc/security to issue incorrect error messages.

>How-To-Repeat:
Turn on NIS, and add (e.g.)

	+joe:::::::::

to master.passwd. Then run /etc/security. Output includes messages like

	Login +joe has non-alphanumeric characters.
	Login +joe has no password.
	Login +joe does not have a valid shell ()
	Login +joe has a negative user id.
	Login +joe has a negative group id.

This can be silenced by adding "+joe" to $check_passwd_nowarn_users,
but that's obviously not the correct long-term solution.

>Fix:

Suggested patch for /etc/security, against 1.94.2.1 (same as 1.95),
will merge with current 1.96:

Index: security
===================================================================
RCS file: /cvsroot/src/etc/security,v
retrieving revision 1.94.2.1
diff -u -r1.94.2.1 security
--- security	13 Apr 2005 15:56:38 -0000	1.94.2.1
+++ security	24 Mar 2006 03:27:53 -0000
@@ -213,13 +213,23 @@
 			printf "Line %d is a blank line.\n", NR;
 			next;
 		}
-		if (NF != 10 && ($1 != "+" || NF != 1))
+
+		# NIS compat entry?
+		compatline = $1 ~ "^[\\+-]";
+		if (compatline) {
+			if ($1 == "+" && NF == 1) {
+				next;
+			}
+			sub("^.", "", $1);
+		}
+		if (NF != 10)
 			printf "Line %d has the wrong number of fields.\n", NR;
-		if ($1 == "+" )  {
-			if (NF != 1 && $3 == 0)
+		if (compatline)  {
+			if ($3 == 0)
 			    printf "Line %d includes entries with uid 0.\n",
 			        NR;
-			next;
+			if ($1 == "")
+			    next;
 		}
 		if (!permit_nonalpha &&
 		    $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
@@ -228,7 +238,7 @@
 		if (length($1) > len)
 			printf "Login %s has more than "len" characters.\n",
 			    $1;
-		if ($2 == "" && !nowarn_users[$1])
+		if ($2 == "" && !compatline && !nowarn_users[$1])
 			    printf "Login %s has no password.\n", $1;
 		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
 		    if (length($2) != 13 &&
@@ -242,15 +252,17 @@
 		    	    if ($10 == "" || shells[$10])
 				printf "Login %s is off but still has "\
 				  "a valid shell (%s)\n", $1, $10;
+		    } else if (compatline && $10 == "") {
+			    # nothing
 		    } else if (! shells[$10])
 		    	    printf "Login %s does not have a valid "\
 			    "shell (%s)\n", $1, $10;
 		}
 		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
 			printf "Login %s has a user id of 0.\n", $1;
-		if ($3 < 0)
+		if ($3 != "" && $3 < 0)
 			printf "Login %s has a negative user id.\n", $1;
-		if ($4 < 0)
+		if ($4 != "" && $4 < 0)
 			printf "Login %s has a negative group id.\n", $1;
 	}' < $MP > $OUTPUT
 	if [ -s $OUTPUT ] ; then