Bug 253092 - rsh/rlogin/rcp fail with NIS netgroup sub-group
Summary: rsh/rlogin/rcp fail with NIS netgroup sub-group
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc   
(Show other bugs)
Version: 5.0
Hardware: i686
OS: Linux
Target Milestone: ---
: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-16 21:39 UTC by Kevin Collins
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-17 13:34:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Kevin Collins 2007-08-16 21:39:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; GIL 2; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

Description of problem:
If a client host is specified in a netgroup which is a member of another netgroup, which in turn is granted access via hosts.equiv or .rhosts, the client host is denied access via rsh/rlogin/rcp without a password. 

In other words, if netgroup "linux" contains netgroup "rhel5", and netgroup rhel5 contains host "server1" and hosts.equiv has the entry "+@linux", rsh/rlogin/rcp fail.

If however, the hosts.equiv contains "+@rhel5" OR netgroup "linux" contains "server1", then server1 will be allowed access.

This is contrary to expected behavior, as seen on RHEL3, HPUX, Solaris.

It almost appears as if the innetgr() call is not recursing.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create netgroup "linux" as:

linux rhel5

2. create netgroup "rhel5" as:

rhel5 (server1,,)

3. Add netgroup entry for "linux" to /etc/hosts.equiv:


4) attempt to rsh/rlogin/rcp from server1 - access is denied

Actual Results:
Access denied:

Aug 16 09:40:11 cpafiszi rlogind[18783]: pam_rhosts_auth(rlogin:auth): denied to cokm@cpafiszk as cokm: access not allowed

Expected Results:
Access allowed

Additional info:
We are using RFC2307 (NIS data stored in LDAP) rather than a standard ypserver, but this behavior is only experienced on RHEL5.

Comment 1 Tomas Mraz 2007-08-16 22:26:24 UTC
pam_rhosts_auth just calls innetgr which is glibc function.

Comment 2 Kevin Collins 2007-08-16 22:42:36 UTC
Please close - Not A Bug. 

After looking at the source (pam_rhosts_auth.c) I created a small C program 
(calling innetgr) and validated that I was only seeing the problem with a 
particular netgroup. On further investigation, I found one of my LDAP replicas 
was out of sync due to an earlier error.

Note You need to log in before you can comment on or make changes to this bug.