pam_access change to netgroup interpretation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Apologies for the cross-post, the catalyst for the change was discussed on the RedHat list, but I figured the SourceForge one is the authoritative upstream list.


Our netgroups look like: (-, apollock, )

Our access.conf looks like:


To be clear, we have per-host netgroups.

As of the change made in

Significant line change (pam_access.c) (lines 512-516):

return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug));
return (netgroup_match (pamh, tok + 1, item->hostname, string, item->debug)); 

pam_access now wants the netgroup to look like (, apollock, )

or our use case fails.

Apparently this change was made based on a user request - because this user seemed to want to have a single netgroup for all hosts that arbitrated access, based on the user and host components of the netgroup triple.

That said, trying to mix users and hosts is incorrect use of a netgroup. states that

admins (altair, hauri), (sirius,juanita,sales)

is the equivalent of

admins (altair,-), (sirius,-), (-,hauri), (-,juanita,sales)

so it comes down to what you're querying a netgroup for, users or hosts. Trying to mix the two will give undesired results. says:

Because the "-" character will not match any specific username or hostname, it is commonly used as a placeholder that will match only wildcarded membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users, respectively. Any other string that is guaranteed not to be a legal username or hostname will also suffice for this purpose.
Use of placeholders will improve search performance. also says:

Though netgroup pairs (or triples) group together hostnames, usernames and domainnames, nothing really reads them in that manner. They exist only in NIS maps. The file /etc/netgroup only exists in order to be your 'flat' source file.

It is important to understand that there is no necessary relationship between the machine and user elements in an entry and such definitions usually should be split into two: one for users and one for servers. admins (-,john), (-,nick)It is possible to omit dash and use just leading comma. But if this netgroup were ever accidentally included in a list of hosts rather than users, the blank space would be interpreted as a wildcard meaning any host. For example, if someone used this netgroup in a -access list in the /etc/exports file, any host would have access to the exported directory. For this reason, if a netgroup is used strictly as a list of users, you should always put a dash in the host field, as in example above.

The following netgroup will not do what you expect:

bogus-group (machine1,user1), (machine2,user2) # not what you might think !!!

You might think this means user1 at machine1 and user2 at machine2, but in actuality, it is a netgroup that defines either two users (user1 and user2) if used in place were configuration file expects users or two machines (machine1 and machine2) is uses when particular configuration file expects list of hosts.

So I'm going to file a bug about this, but I wanted to provide the full background here for discussion also.



Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux