Bug 167669

Summary: Add netgroup support in pam
Product: Red Hat Enterprise Linux 3 Reporter: Tom "spot" Callaway <tcallawa>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: nalin, tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: None
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-15 11:05:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 170445    

Description Tom "spot" Callaway 2005-09-06 19:39:16 UTC 
Description of problem:

One of my customers is trying to use LDAP netgroups to limit user access to the
client. When I had Nalin look into the feasibility of doing this in RHEL, he
discovered that none of the modules (including pam_ldap) support access control
using netgroups.

He also pointed out that it wouldn't be too much work to implement it, and that
it would be a good candidate for going in during an update cycle.

Specifically, once you have a user name and a host name, and assuming nss_ldap's
working, you can call the libc function innetgr() to check for membership.
Comment 2 Johnray Fuller 2005-09-15 20:30:03 UTC 
Should netgroup support be added to pam_listfile as well or other modules
besides pam_ldap?

This way netgroup authentication can be more broadly deployed (e.g. NIS, NIS+, etc).

J
Comment 3 Tomas Mraz 2005-09-16 09:39:11 UTC 
There is some netgroup support in pam_access (matches @netgroup) however I don't
know if it's sufficient or even working.

There is also yp_get_default_domain() call and the domain obtained is always
passed as the domain parameter to the innetgr function.
Comment 4 Nalin Dahyabhai 2005-09-16 13:36:54 UTC 
Oddly enough we have a different customer who is attempting to use pam_access to
enforce a requirement on membership in a netgroup, and they're running afoul of
pam_access's assumption that there should be a controlling terminal.  Something
like pam_listfile or pam_succeed_if would work much better for them, but neither
currently supports netgroups.

One thing to keep in mind about glibc is that netgroups in general aren't tied
to NIS, so yp_get_default_domain() can fail even when netgroups are available,
for example in /etc/netgroup.  What value is appropriate for the "domain" in
this case is open to question, but the matching works even if you're using local
files.
Comment 5 Tomas Mraz 2005-09-16 13:49:12 UTC 
I know about this problem with no controlling tty and pam_access and I've
already proposed a patch for it - see bug 168276.

The yp_get_default_domain() failure doesn't break the netgroup match since
domain is set to NULL then and this is wildcard matching any domain in the
innetgr() function.
Comment 8 Tomas Mraz 2005-10-11 22:57:11 UTC 
Tom, what are the exact requirements for netgroup matching they have?

The pam_access module can call innetgr for both user and host name but it is
called separately. So if you configure it for user name it is called with
hostname as a wildcard (innetgr(group, 0, user, domain) and vice versa
(innetgr(group, host, 0, domain)).

So the question is - would be the current support in pam_access sufficient? And
if not which module would be the best to add the support in (pam_succeed_if?).
Comment 11 Tomas Mraz 2005-12-15 11:05:24 UTC 
There is already support in pam_access which should be good enough.
In RHEL 4 U3 netgroups will be supported also in pam_succeed_if module.