[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

NIS netgroups in /etc/hosts.equiv: Fixed. (fwd)




-------------------------------------------------------------------------------
|       I told you I'm not very bright -- Sugar in "Some Like It Hot"         |
|      "RPM is the greatest thing since swap-space" - Bryan C. Andregg
|                                                                             |
|       Erik Troan   =   ewt@redhat.com     =    ewt@sunsite.unc.edu          |

---------- Forwarded message ----------
Date: Mon, 17 Mar 1997 14:01:53 +0000
From: Wilf <G.Wilford@ee.surrey.ac.uk>
To: redhat-devel-list@redhat.com
Subject: NIS netgroups in /etc/hosts.equiv: Fixed. 
Resent-Date: 17 Mar 1997 14:03:04 -0000
Resent-From: redhat-devel-list@redhat.com
Resent-cc: recipient list not shown: ;


RedHat 4.x does not support host/user netgroups in /etc/hosts.equiv or
~/.rhosts .

This is because in.rlogind and in.rshd are linked with the PAM library
rather than using explicit ruserok() calls to validate the host/user. 
The PAM module (pam_rhosts_auth) does the file parsing itself and
doesn't understand netgroups.

With a nys libc (as bundled with RedHat 4.x), the ruserok() call would
correctly resolve any netgroup entries, however it is not possible to
restrict searching of users ~/.rhosts files with this call.  I guess
this is why the PAM module doesn't use ruserok().

I have hacked the pam_rhosts_auth module in pam-0.54-4.src.rpm to do
host/user netgroup lookups.  Most of the new stuff is taken directly
from inet/rcmd.c.new in the source libc rpm.

The patch against Linux-PAM-0.54 also includes a small change to
redhat.defs to remove -pedantic from the compiler flags.  -pedantic
causes the compile to fail on a sparc during inclusion of some asm
headers.  The new pam_rhosts_auth module works for me, but will need
some testing by others.

pam-0.54-5.src.rpm and pam-0.54-5.sparc.rpm uploaded to

ftp://ftp.redhat.com/pub/incoming

Here is the patch:

(/usr/src/redhat/SOURCES/Linux-PAM-0.54-rhosts_netgroup.patch)

--------------------cut here-------------------
--- Linux-PAM-0.54/defs/redhat.defs.orig	Mon Mar 17 10:45:25 1997
+++ Linux-PAM-0.54/defs/redhat.defs	Mon Mar 17 10:40:51 1997
@@ -27,3 +27,8 @@
 CONFIGED=$(PPFIX)/etc
 LIBDIR=$(PREFIX)/lib
 SECUREDIR=$(LIBDIR)/security
+WARNINGS = -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
+	   -Wpointer-arith -Wcast-qual -Wcast-align \
+	   -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \
+	   -Wnested-externs -Winline -Wshadow
+
--- Linux-PAM-0.54/modules/pam_rhosts/pam_rhosts_auth.c.rhosts_netgroup	Sun Dec  1 03:09:48 1996
+++ Linux-PAM-0.54/modules/pam_rhosts/pam_rhosts_auth.c	Mon Mar 17 11:40:58 1997
@@ -35,6 +35,7 @@
 
 #define USER_RHOSTS_FILE "/.rhosts"     /* prefixed by user's home dir */
 #define THE_SUPERUSER    "root"         /* name should be settable */
+#define YP
 
 #ifdef linux
 #include <endian.h>
@@ -94,6 +95,16 @@
     const char *last_error;
 };
 
+#ifdef YP
+#include <rpcsvc/ypclnt.h>
+extern void setnetgrent(const char *);
+extern void endnetgrent(void);
+extern int getnetgrent(char **, char **, char **);
+static char *nisdomain = NULL;
+static int __ichecknetgrouphost(struct _options *opts, u_long, const char *);
+static int _checknetgroupuser(const char *, const char *);
+#endif
+
 static void set_option (struct _options *opts, const char *arg)
 {
     if (strcmp (arg, "no_hosts_equiv") == 0) {
@@ -221,6 +232,11 @@
     int ch;
     char buf[MAXHOSTNAMELEN + 128];                       /* host + login */
 
+#ifdef YP
+	int badhost = 1;
+	int baduser = 1;
+#endif
+
     buf[sizeof (buf)-1] = '\0';                 	/* terminate line */
 
     while (fgets(buf, sizeof (buf)-1, hostf)) {   /* line from hostf file */
@@ -263,12 +279,45 @@
 
 	/* buf -> host(?) ; user -> username(?) */
 
+#ifdef YP
+            /* disable host from -hostname entry */
+        if ('-' == buf[0] && '@' != buf[1]
+            && __icheckhost(opts, raddr, &buf[1]) == 0)
+          return (1);
+            /* disable host from -@netgroup entry for host */
+        if ('-' == buf[0] && '@' == buf[1] && '\0' != buf[2]
+            && __ichecknetgrouphost(opts, raddr, &buf[2]) == 0)
+          return (1);
+            /* disable user from -user entry */
+        if ('\0' != *user && user[0] == '-' && user[1] != '@'
+            && !strcmp(&user[1], ruser))
+          return (1);
+            /* disable user from -@netgroup entry for user */
+        if ('\0' != *user && user[0] == '-' && user[1] == '@'
+            && user[2] != '\0' && _checknetgroupuser(ruser, &user[2]) == 0)
+          return (1);
+            /* enable host from +@netgroup entry for host */
+        if ('+' == buf[0] && '@' == buf[1] && '\0' != buf[2])
+          badhost = __ichecknetgrouphost(opts, raddr, &buf[2]);
+        else
+          badhost = __icheckhost(opts, raddr, buf);
+            /* enable user from +@netgroup entry for user */
+        if ('\0' != *user && user[0] == '+'
+            && user[1] == '@' && user[2] != '\0')
+          baduser = _checknetgroupuser(ruser, &user[2]);
+        else
+          baduser = strcmp(ruser, *user ? user : luser);
+        
+        if (!badhost && !baduser)
+          return (0);
+#else
 	if (__icheckhost(opts, raddr, buf) == 0) {
 	    if (! (*user))
 	        user = luser;
 	    if (strcmp(ruser, user) == 0)
 	        return (0);
 	}
+#endif /* YP */
     }
 
     return (1);
@@ -281,7 +330,7 @@
  * contains hostnames, we spin through the list of addresses the nameserver
  * gives us and look for a match.
  *
- * Returns 0 if ok, -1 if not ok.
+ * Returns 0 if ok, 1 if not ok.
  */
 
 static int
@@ -521,3 +570,75 @@
  * removed code for manually setting the remote username etc..
  *
  */
+ 
+
+#ifdef YP
+
+/* Ok, this is mostly dragged in from inet/rcmd.c.new in libc, however ret 
+   codes are reversed to match the other functions in here. ie. (0) for 
+   success, (1) for failure */
+   
+static int
+__ichecknetgrouphost(struct _options *opts, u_long raddr, const char *netgr)
+{
+  char *host, *user, *domain;
+  int status;
+  
+  if (NULL == nisdomain)
+    yp_get_default_domain(&nisdomain);
+  
+  setnetgrent(netgr);
+  while (1)
+    {
+      while (1 == (status = getnetgrent(&host, &user, &domain))
+             && NULL == host
+             && NULL != domain
+             && 0 != strcmp(domain, nisdomain))
+        ;  /* find valid host entry */
+      
+      if (0 == status || NULL == host)
+        {
+          endnetgrent();
+          return (1);
+        }
+
+      if(__icheckhost(opts, raddr, host) == 0)
+        {
+          endnetgrent();
+          return (0);
+        }
+    }
+}
+
+static int
+_checknetgroupuser(const char *ruser, const char *netgr)
+{
+  char *host, *user, *domain;
+  int status;
+  
+  if (NULL == nisdomain)
+    yp_get_default_domain(&nisdomain);
+  
+  setnetgrent(netgr);
+  while (1)
+    {
+      while (1 == (status = getnetgrent(&host, &user, &domain))
+             && NULL == user
+             && NULL != domain
+             && 0 != strcmp(domain, nisdomain))
+        ;  /* find valid user entry */
+      
+      if (0 == status || NULL == user)
+        {
+          endnetgrent();
+          return (1);
+        }
+
+      if(0 == strcmp(ruser, user))
+        {
+          endnetgrent();
+          return (0);
+        }
+    }
+}
+#endif /* YP */
--------------------cut here-------------------


Here is a patch to the spec file:

--- pam-0.54.spec       Tue Dec 17 19:43:34 1996
+++ pam-0.54.spec.new   Mon Mar 17 10:23:50 1997
@@ -1,7 +1,7 @@
 Summary: Pluggable Authentication Modules: modular, incremental authentication
 Name: pam
 Version: 0.54
-Release: 4
+Release: 5
 Copyright: GPL or BSD
 Group: Base
 Source: http://parc.power.net/morgan/Linux-PAM/Linux-PAM-0.54.tar.gz
@@ -19,6 +19,7 @@
 Patch11: Linux-PAM-0.54-glibc.patch
 Patch12: Linux-PAM-0.54-abortonloaderr.patch
 Patch13: Linux-PAM-0.54-ldx.patch
+Patch14: Linux-PAM-0.54-rhosts_netgroup.patch
 Requires: pamconfig, cracklib-dicts, pwdb
 
 %description
@@ -41,6 +42,7 @@
 %patch9 -p1 -b .nopasswd+
 %patch12 -p1 -b .loaderr
 %patch13 -p1 -b .ldx
+%patch14 -p1 -b .rhosts_netgroup
 
 %ifarch alpha
 %patch10 -p1 -b .noaxp


Cheers,
Wilf.   
-- 
 	Dr Graeme Wilford		Software Support Officer
	Dept. of Electronic Eng.	Phone: 01483 259826
	University of Surrey 		Fax:   01483 34139
	Guildford, Surrey GU2 5XH	email: G.Wilford@ee.surrey.ac.uk


--
To unsubscribe:
mail -s unsubscribe redhat-devel-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []