From des@flood.ping.uio.no Sat Mar 27 11:14:10 1999 Return-Path: Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 48C06153FA for ; Sat, 27 Mar 1999 11:14:08 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.2/8.9.1) id UAA70054; Sat, 27 Mar 1999 20:13:49 +0100 (CET) (envelope-from des) Message-Id: <199903271913.UAA70054@flood.ping.uio.no> Date: Sat, 27 Mar 1999 20:13:49 +0100 (CET) From: des@flood.ping.uio.no Reply-To: des@flood.ping.uio.no To: FreeBSD-gnats-submit@freebsd.org Subject: getpwent() fails on NIS clients after dropping privs X-Send-Pr-Version: 3.2 >Number: 10821 >Category: bin >Synopsis: getpwent() fails on NIS clients after dropping privs >Confidential: no >Severity: serious >Priority: medium >Responsible: des >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 11:20:01 PST 1999 >Closed-Date: Sun Jan 13 08:01:26 PST 2002 >Last-Modified: Sun Jan 13 08:01:27 PST 2002 >Originator: Dag-Erling Smorgrav >Release: FreeBSD 3.1-STABLE i386 >Organization: >Environment: FreeBSD 3.1 or 4.0 configured as NIS client of a FreeBSD NIS server with master.passwd maps. >Description: The first time it runs, the NIS code in src/lib/libc/gen/getpwent.c attempts to determine whether or not it has access to master.passwd. The result of this test is saved in the global variable _gotmaster. If the NIS server is a FreeBSD machine, it will only grant access to those maps if the request originates from a privileged port. Thus the test will only succeed if the process has an effective UID of 0 the first time the NIS code runs. The catch is that the NIS lookup code in src/lib/libc/yp/yplib.c closes the NIS socket and reconnects if it detects a fork. It does this by storing the pid when connecting, and checking that it is still the same before every lookup. If the calling process drops privileges and forks, getpwent.c will try to access master.passwd, but yplib.c will not be able to connect from a privileged port. The NIS lookup will fail. >How-To-Repeat: One piece of software which very clearly exhibits this problem is the Apache HTTP daemon. Attempts to request any user's home page will fail if the daemon runs on a NIS client and the requested user is listed in the NIS password maps but not in the local password database. >Fix: src/lib/libc/gen/getpwent.c should retry lookups in the regular maps if lookups in the restricted maps fail. >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->des Responsible-Changed-By: des Responsible-Changed-When: Sat Mar 27 13:29:55 PST 1999 Responsible-Changed-Why: I'm working on a fix. From: Gerald Pfeifer To: freebsd-gnats-submit@freebsd.org Cc: des@flood.ping.uio.no, Andreas Kreuzinger Subject: Re: bin/10821: getpwent() fails on NIS clients after dropping privs Date: Thu, 6 May 1999 12:57:18 +0200 (MET DST) With FreeBSD 3.1-RELEASE we experience problems that may be related. We have three identically configured clients (no differences in /etc, for example). o One client works fine. o One client only accepts login by local users (root). o One client is accepting SSH logins (of NIS users), but no console login except local users (root). However, a root login with `su - NISuser` works! `ypcat passwd`, however, works correctly on *all* of these machines! NIS Server is a Solaris 2.6 host. Gerald PS: You mentioned that you're working on a fix for bin/10821. How is the state of that? -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ From: Dag-Erling Smorgrav To: bug-followup@freebsd.org Cc: Subject: Re: bin/10821 Date: 27 Nov 2001 14:59:38 +0100 The relevant bits of libc have been rewritten since this PR was submitted. Does the problem still occur with a newer FreeBSD version? Unfortunately, I no longer have a NIS client to test this on. DES -- Dag-Erling Smorgrav - des@ofug.org State-Changed-From-To: open->closed State-Changed-By: des State-Changed-When: Sun Jan 13 08:01:26 PST 2002 State-Changed-Why: Feedback timeout http://www.FreeBSD.org/cgi/query-pr.cgi?pr=10821 >Unformatted: