misc/156945: Name service Switch does not work as documented for
group
Brett Wynkoop
wynkoop at wynn.com
Wed May 11 02:40:02 UTC 2011
>Number: 156945
>Category: misc
>Synopsis: Name service Switch does not work as documented for group
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 11 02:40:02 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Brett Wynkoop
>Release: 8.2
>Organization:
Wynn Data Ltd.
>Environment:
FreeBSD fbsdvm.isprime.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 r219081M: Wed Mar
2 08:29:52 CET 2011 root at www4:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
I first observed this issue in FreeBSD 5, so this pertains to FreeBSD 5.x - 8.2
and probably into HEAD.
group does not honor the behavior documented in the nsswitch.conf man page.
In specific:
group: files ldap
only files is ever consulted
group: ldap files
only /etc/group is ever consulted
group: files [notfound=continue] ldap
only /etc/group is consulted
group: ldap [notfound=continue] files
only ldap is consulted
passwd seems to behave as documented with relation to nsswitch.conf settings.
I believe that someone needs to look at the code pertaining to groups in
what ever library nsswitch.conf is called from. This issue will effect
anyone using groups from ldap, nis, or hessiod with the programs su or sudo.
>How-To-Repeat:
Put a user in group wheel on your ldap server or nis server or hesiod server,
but not in group wheel on the local system and with the following entry
in nsswitch.conf
group: files ldap
Then attempt to run su. You can also look at the output of
getent group wheel
>Fix:
The same sort of code that is used with respect to passwd and hosts needs to be inserted into the libraries that deal with group and nsswitch.conf.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list