Fix for PR #510. The original problem was that __ivaliduser() was
failing to grant access to a machine listed in a +@netgroup specified
in /etc/hosts.equiv, even though the host being checked was most
certainly in the +@netgroup.
The /etc/hosts.equiv file in question looked like this:
localhost
+@netgroup
The reason for the failure was had to do with gethostbyaddr(). Inside
the __ivaliduser() routine, we need to do a gethostbyaddr() in order
to get back the actual name of the host we're trying to validate since
we're only passed its IP address. The hostname returned by gethostbyaddr()
is later passed as an argument to innetgr(). The problem is that
__icheckhost() later does a gethostbyname() of its own, which clobbers
the buffer returned by gethostbyaddr().
The fix is just to copy the hostname into a private buffer and use
_that_ as the 'host' argument that gets passed to innetgr().
And here I was crawling all over the innetgr() code thinking the
problem was there. *sigh*
'NIS information unchanged' or '/etc/master.passwd unchanged'
depending on which was is being modified (conditional on -DYP).
This is to save me the trouble of writing a whole other error
routine (nis_error()?) for the upcoming changes to passwd and
chpass.
bump it again if something else is added before 2.2.
The xdr_* functions are enabled only in the 2.2 (-current) branch
so far. If that modification is moved to the 2.1 (-stable) branch,
this one should, too.
Reviewed by: the mailing lists
- getnetgrent.c: address some NIS compatibility problems. We really need
to use the netgroup.byuser and netgroup.byhost maps to speed up innetgr()
when using NIS. Also, change the NIS interaction in the following way:
If /etc/netgroup does not exist or is empty (or contains only the
NIS '+' token), we now use NIS exclusively. This lets us use the
'reverse netgroup' maps and is more or less the behavior of other
platforms.
If /etc/netgroup exists and contains local netgroup data (but no '+').
we use only lthe local stuff and ignore NIS.
If /etc/netgroup exists and contains both local data and the '+',
we use the local data nd the netgroup map as a single combined
database (which, unfortunately, can be slow when the netgroup
database is large). This is what we have been doing up until now.
Head off a potential NULL pointer dereference in the old innetgr()
matching code.
Also fix the way the NIS netgroup map is incorporated into things:
adding the '+' is supposed to make it seem as though the netgroup
database is 'inserted' wherever the '+' is placed. We didn't quite
do it that way before.
(The NetBSD people apparently use a real, honest-to-gosh, netgroup.db
database that works just like the password database. This is
actually a neat idea since netgroups is the sort of thing that
can really benefit from having multi-key search capability,
particularly since reverse lookups require more than a trivial
amount of processing. Should we do something like this too?)
- netgroup.5: document all this stuff.
- rcmd.c: some sleuthing with some test programs linked with my own
version of innetgr() has revealed that SunOS always passes the NIS
domain name to innetgr() in the 'domain' argument. We might as well
do the same (if YP is defined).
- ether_addr.c: also fix the NIS interaction so that placing the
'+' token in the /etc/ethers file makes it seem like the NIS
ethers data is 'inserted' at that point. (Chances are nobody will
notice the effect of this change, which is just te way I like it. :)
specified in the top level Makefiles.
Previously I missed dozens of Makefiles that skip the install after
using `cmp -s' to decide that the install isn't necessary.
variable directly in tgetent by stderr or stdout output speed.
It helps hide in non-standard __set_ospeed function and remove it
from other sources (coming soon).
Do prototype cleanup too.
changeover, so we have to extend the format of timezone files (in a backward-
compatible way, of course). This probably means that libc needs a minor
version number bump before 2.2 is released (or maybe not).
by me). This probably loses for multibyte characters, but I have no
way of telling. I'll let ache decide whether to add this support to
startup_setlocale. Note that for this to make any sense at all, the
symlinks in /usr/share/locale must go. (For the moment, this doesn't
make any difference since there are no locales supplied.)
Obtained from: Arthur David Olson <ado@elsie.nci.nih.gov>
Basically all termios+termcap pgms needs it.
It set ospeed variable using nearest-matched stty speeds,
which helps termcap pgms works with non-fixed termios speeds
and not duplicate ospeed switch into every pgm.
Also it isn't standard function, its source code is too big to include it
in whole to every termcap+termios pgm.
Back out the 'help NIS rebind faster' hack. This change used a
connect()/send() pair rather than the original sendto() to allow
RPC to pass ICMP host unreachable and similar errors up to RPC
programs that use UDP. This is not a terrible thing by itself, but it can
cause trouble in environments with multi-homed hosts: if the portmapper
on the multi-homed machine sends a reply with a source address
that's different than the one associated with the connection by
connect(), the kernel will send a port unreachable message and
drop the reply. For the sake of compatibility with everybody else
on the planet, it's best to revert to the old behavior.
*long, heavy sigh*
like 38400<any 8bit char, isalpha> it not detect this stuff and
produce very big number instead. Fixed by operating with unsigned char
and checking for isascii. (secure/telnetd hits by it f.e.)
the comment before checking for long lines, so there was a possibility
that the wrap-around might be used as an exploitable hostname.
Reviewed by:
Submitted by:
Obtained from:
Strange as it sounds, it should map to YPERR_DOMAIN instead.
The YP_NODOM protocol error code is generally returned by ypserv when you
ask it for data from a domain that it doesn't support. By contrast,
the YPERR_NODOM error code means 'local domain name not set.'
Consequently, this incorrect mapping leads to yperr_string() generating
a very confusing error message. YPERR_DOMAIN says 'couldn't
bind to a server which serves this domain' which is much closer
to the truth.
1) Do dependencies.
2) Install all appropriate links to manual pages.
3) Install header file in `beforeinstall' like all the rest.
4) Install header file only if changed.
5) Install object files only if changed.
on dlclose. Also correctly call constructors and destructors for libraries
linked with /usr/lib/c++rt0.o.
Change interpretation of dlopen manpage to call _init() rather than init()
for dlopened objects.
Change c++rt0.o to avoid using atexit to call destructors, allowing dlclose to
call destructors when an object is unloaded.
Change interface between crt0 and ld.so to allow crt0 to call a function on
exit to call destructors for shared libraries explicitly.
These changes are backwards compatible. Old binaries will work with the new
ld.so and new binaries will work with the old ld.so. A version number has
been introduced in the crt0-ld.so interface to allow for future changes.
Reviewed by: GAWollman, Craig Struble <cstruble@singularity.bevc.blacksburg.va.us>
_gr_breakout_yp(): if we encounter a NULL pointer generated as the
result of a badly formatted NIS passwd entry (e.g. missing fields),
we punt and return an error code, thereby silently skipping the
bad entry.
last night:
_gr_breakout_yp() doesn't check for badly formatted NIS group entries.
For example, a bogus entry like this:
bootp::user1,user2,user3
will lead to a null pointer dereference and a SEGV (note that the GID
field is missing -- this results in one of the strsep(&result, ":")
returning NULL). The symtpom of this problem is programs dumping
core left and right the moment you add a + entry to /etc/group.
Note that while this is similar to an earlier bug, it's caused by a
different set of circumstances.
The fix is to check for the NULL pointers and have _gr_breakout_yp()
punt and return a failure code if it catches one. This is more or
less the behavior of SunOS: if a bad NIS group entry is encountered,
it's silently ignored. I don't think our standard (non-NIS) group
parsing code behaves the same way. It doesn't crash though, so I'm
citing the 'it ain't broken, don't fix it' rule and leaving it alone.
I'll probably have to add similar checks to _pw_breakout_yp() in
getpwent.c to ward off the same problems. It's rare that bad NIS
map entries like this occur, but we should handle them gracefully
when they do.
