Bug 167669 - Add netgroup support in pam
Add netgroup support in pam
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: FutureFeature
Depends On:
Blocks: 170445
  Show dependency treegraph
Reported: 2005-09-06 15:39 EDT by Tom "spot" Callaway
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-15 06:05:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom "spot" Callaway 2005-09-06 15:39:16 EDT
Description of problem:

One of my customers is trying to use LDAP netgroups to limit user access to the
client. When I had Nalin look into the feasibility of doing this in RHEL, he
discovered that none of the modules (including pam_ldap) support access control
using netgroups.

He also pointed out that it wouldn't be too much work to implement it, and that
it would be a good candidate for going in during an update cycle.

Specifically, once you have a user name and a host name, and assuming nss_ldap's
working, you can call the libc function innetgr() to check for membership.
Comment 2 Johnray Fuller 2005-09-15 16:30:03 EDT
Should netgroup support be added to pam_listfile as well or other modules
besides pam_ldap?

This way netgroup authentication can be more broadly deployed (e.g. NIS, NIS+, etc).

Comment 3 Tomas Mraz 2005-09-16 05:39:11 EDT
There is some netgroup support in pam_access (matches @netgroup) however I don't
know if it's sufficient or even working.

There is also yp_get_default_domain() call and the domain obtained is always
passed as the domain parameter to the innetgr function.
Comment 4 Nalin Dahyabhai 2005-09-16 09:36:54 EDT
Oddly enough we have a different customer who is attempting to use pam_access to
enforce a requirement on membership in a netgroup, and they're running afoul of
pam_access's assumption that there should be a controlling terminal.  Something
like pam_listfile or pam_succeed_if would work much better for them, but neither
currently supports netgroups.

One thing to keep in mind about glibc is that netgroups in general aren't tied
to NIS, so yp_get_default_domain() can fail even when netgroups are available,
for example in /etc/netgroup.  What value is appropriate for the "domain" in
this case is open to question, but the matching works even if you're using local
Comment 5 Tomas Mraz 2005-09-16 09:49:12 EDT
I know about this problem with no controlling tty and pam_access and I've
already proposed a patch for it - see bug 168276.

The yp_get_default_domain() failure doesn't break the netgroup match since
domain is set to NULL then and this is wildcard matching any domain in the
innetgr() function.
Comment 8 Tomas Mraz 2005-10-11 18:57:11 EDT
Tom, what are the exact requirements for netgroup matching they have?

The pam_access module can call innetgr for both user and host name but it is
called separately. So if you configure it for user name it is called with
hostname as a wildcard (innetgr(group, 0, user, domain) and vice versa
(innetgr(group, host, 0, domain)).

So the question is - would be the current support in pam_access sufficient? And
if not which module would be the best to add the support in (pam_succeed_if?).
Comment 11 Tomas Mraz 2005-12-15 06:05:24 EST
There is already support in pam_access which should be good enough.
In RHEL 4 U3 netgroups will be supported also in pam_succeed_if module.

Note You need to log in before you can comment on or make changes to this bug.