147323 – nscd does not honour NIS compat notation

Bug 147323 - nscd does not honour NIS compat notation

Summary: nscd does not honour NIS compat notation

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-07 10:45 UTC by Evan Champion
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-10 16:27:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Evan Champion 2005-02-07 10:45:52 UTC

nscd does not honour NIS compat notation.  Consider this /etc/passwd:

+:*:::::

If you run it without nscd, the result will be to make available all
the NIS passwd entries as-is, but with the password hash replaced by
"*".  If you run it with nscd and do a getent passwd as root, the
password hash will not be replaced (you will get the records wiht the
password hash from NIS).

One would not expect the semantics to change by enabling a cache
daemon.  This may be considered a security exposure; someone may have
setup their system this way intentionally, perhaps for example to
require Kerberos authentication on their system but to stil use NIS
for the user directory (this is why I did it).  Then they enable nscd
to improve NIS performance, and suddenly the system allows NIS
authentication where it didn't before.

nscd also is not a valid package choice when submitting Bugzilla
tickets.  Hopefully assigning to authconfig puts this ticket somewhere
useful.

Comment 1 Jakub Jelinek 2005-02-08 09:20:54 UTC

Can't reproduce it here, with
+:*:::::
at the end I'm seeing:
bar:*:2001:2001:NIS user:/dev/null:/sbin/nologin
foo:*:2000:2000:NIS user:/dev/null:/sbin/nologin
while with files nis in nsswitch.conf and that line missing I'm getting
bar:x:2001:2001:Foo:/dev/null:/sbin/nologin
foo:x:2000:2000:Foo:/dev/null:/sbin/nologin
nscd is running in both cases.
Are you sure you have flushed nscd's cache after making the changes in
/etc/passwd?
nscd -i passwd
in this case.

Comment 2 Evan Champion 2005-02-10 15:58:36 UTC

I have upgraded to latest development.  I used to be able to get it to fail
every time, no matter what I did (restart nscd, reboot computer, etc.).  Now I
got it to fail once (returning NIS password hash instead of *, per the example).
 I will do some more testing to see if I can identify what circumstances caused
that.

Comment 3 Evan Champion 2005-02-10 16:26:01 UTC

Well, I have tried for the last 30 mins to make it do it, and I can't -- both
iterating over the entire password file (getent passwd) and looking for specific
users returns the right thing.  I also ran nscd in debug and timed the
difference between cached/uncached results, and am fairly sure nscd is doing
something.  Sorry for wasting your time on something that was already fixed. 
Please go ahead and close.

Note You need to log in before you can comment on or make changes to this bug.