Menu

#306 New pam_access netgroup handling is incorrect

closed-fixed
nobody
modules (176)
7
2009-11-19
2009-11-04
No

Background:

Our netgroups look like:

login_samplehost.example.com (-, apollock, )

Our access.conf looks like:

+:root:ALL
+:@login_samplehost.example.com:ALL
-:ALL:ALL

To be clear, we have per-host netgroups.

As of the change made in
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_access/pam_access.c?view=diff&pathrev=Linux-PAM-1_0_90&r1=1.29&r2=1.30

Significant line change (pam_access.c) (lines 512-516):

return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug));
return (netgroup_match (pamh, tok + 1, item->hostname, string,
item->debug));

pam_access now wants the netgroup to look like

login_samplehost.example.com (, apollock, )

or our use case fails.

Apparently this change was made based on a user request -
http://www.redhat.com/archives/pam-list/2008-April/msg00032.html because
this user seemed to want to have a single netgroup for all hosts that
arbitrated access, based on the user and host components of the netgroup
triple.

That said, trying to mix users and hosts is incorrect use of a netgroup.
http://docs.sun.com/app/docs/doc/806-1387/6jam692ck?a=view states that

admins (altair, hauri), (sirius,juanita,sales)

is the equivalent of

admins (altair,-), (sirius,-), (-,hauri), (-,juanita,sales)

so it comes down to what you're querying a netgroup for, users or hosts.
Trying to mix the two will give undesired results.

http://docs.sun.com/app/docs/doc/816-5174/netgroup-4?l=en&a=view&q=netgroup
says:

Because the "-" character will not match any specific username or hostname,
it is commonly used as a placeholder that will match only wildcarded
membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users,
respectively. Any other string that is guaranteed not to be a legal username
or hostname will also suffice for this purpose.
Use of placeholders will improve search performance.

http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml also
says:

Though netgroup pairs (or triples) group together hostnames, usernames and
domainnames, nothing really reads them in that manner. They exist only in
NIS maps. The file /etc/netgroup only exists in order to be your 'flat'
source file.

It is important to understand that there is no necessary relationship
between the machine and user elements in an entry and such definitions
usually should be split into two: one for users and one for servers. admins
(-,john), (-,nick)It is possible to omit dash and use just leading comma.
But if this netgroup were ever accidentally included in a list of hosts
rather than users, the blank space would be interpreted as a wildcard
meaning any host. For example, if someone used this netgroup in a -access list
in the /etc/exports file, any host would have access to the exported
directory. For this reason, if a netgroup is used strictly as a list of
users, you should always put a dash in the host field, as in example above.

The following netgroup will not do what you expect:

bogus-group (machine1,user1), (machine2,user2) # not what you might think
!!!

You might think this means user1 at machine1 and user2 at machine2, but in
actuality, it is a netgroup that defines either two users (user1 and user2)
if used in place were configuration file expects users or two machines
(machine1 and machine2) is uses when particular configuration file expects
list of hosts.

Discussion

  • Andrew Pollock

    Andrew Pollock - 2009-11-06
    • priority: 5 --> 7
     
  • Andrew Pollock

    Andrew Pollock - 2009-11-06

    I'm raising the priority on this a little, because for us, the new version of pam_access completely breaks our authorization setup

     
  • Thorsten Kukuk

    Thorsten Kukuk - 2009-11-19

    Fixed in CVS.

     
  • Thorsten Kukuk

    Thorsten Kukuk - 2009-11-19
    • status: open --> closed-fixed
     

Log in to post a comment.