Ubuntu
glibc package

getpwent cannot enumerate users from netgroups with libnss_compat

Bug #378874 reported by rws
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
New
Undecided
Unassigned

Bug Description

This is on 9.04, but I suspect it applies to all versions.

I am using LDAP user authentication, but want to restrict access by netgroup. However, when I use netgroups, getent passwd no longer lists all of my users.

'getent passwd' does not list netgroup members when added to password file like this:
+@netgroup:x:::::

If I do 'getent passwd user' and the user is a member of the group, it does work, though. They can even login. So the user is there, it just does not get listed.

If a user is added individually, it does get listed.
+user:x:::::

However, when it hits a +@group line, it stops processing /etc/passwd, so any users listed after the netgroup do not get displayed, either. The accounts still work, though.

So, if my /etc/passwd looked like this, getent passwd would list all local users except me, and not include any members of the "admins" netgroup, either:
root:x:0:0:root:/root:/bin/bash
[...]
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
+@admins:x:::::
rws:x:1000:1000:Robert,,,:/home/rws:/bin/zsh

These are the relevant lines from my nsswitch.conf
passwd: compat
group: files ldap
shadow: compat

passwd_compat: ldap
shadow_compat: ldap

Revision history for this message
rws (robert-schlotterbeck+launchpad) wrote :

I get the same behavior on RedHat, too.

Solaris systems properly list the members. So, there is now officially one thing our Solaris systems do better than our Linux systems with regard to LDAP authentication.

Revision history for this message
Mike Gabriel (sunweaver) wrote :

I can confirm the issue for UBUNTU Karmic 9.10 and for Debian Lenny.

But the following works for me (which can be used as a workaround for some, maybe):

-@netgroup:x:::::
+:x::::::

Means in this context: getpwent will list all LDAP users except those in @netgroup.

Revision history for this message
Mike Gabriel (sunweaver) wrote :

The bug also persist if you use

  netgroup: files

in conjunction with a /etc/netgroup file instead of

  netgroup: ldap

in /etc/nsswitch.conf.

Revision history for this message
Mike Gabriel (sunweaver) wrote :

This problem co-exists when using netgroups and pam_access.so...

I have two netgroups (netgroup-staff, netgroup-students), only ,,netgroup-staff'' shall get access to my system...

When tweaking /etc/security/access.conf this _does not_ work, but it should:

  <snippet>
  + : root locadm : ALL
  + : @netgroup-staff : ALL

  # All other users should be denied to get access from all sources.
  - : ALL : ALL
  </snippet>

However, similar to the issues above, putting the following lines into /etc/security/access.conf _does_ work:

  <snippet>
  + : root locadm : ALL
  - : @netgroup-students : ALL

  # All other users can access the system from any source
  + : ALL : ALL
  </snippet>

Revision history for this message
Mike Gabriel (sunweaver) wrote :

Also a bug is the following behaviour:

I have userA, userB and userC, userA+B are in netgroup ,,netgroup-staff''

My /etc/passwd looks like this:
  <snippet>
  [...local accounts]
  -@netgroup-staff:x:::::
  +:x:::::
  </snippet>

When using the command ,,getent passwd'', the list looks like this (userA+B are excluded from the passwd list, because their netgroup is denied access to the system):

  <snippet>
  [...local accounts]
  userC:x:<uidN>:<gidN>:<GECOS>:/home/userC:/bin/bash
  </snippet>

Till here everything looks fine...

However, when I use ,,getent passwd userA'' I expect that nothing will be returned. But opposed to my expectation the following line is returned:

  <snippet>
  userA:x:<uidN>:<gidN>:<GECOS>:/home/userA:/bin/bash
  </snippet>

To my understanding using nss_compat and a passwd config as shown above should hide users that are not members in ,,netgroup-staff'' completely from the system. Unfortunately, this is not the case...

Revision history for this message
Mike Gabriel (sunweaver) wrote :

TYPO in the last paragraph, here the correct phrase: To my understanding using nss_compat and a passwd config as shown above should hide users that _are_ (here was the typo) members in ,,netgroup-staff'' completely from the system. Unfortunately, this is not the case...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.