diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2009-03-27 12:31:32 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2009-03-27 12:31:32 +0000 |
| commit | d93fc1a1684488d7b21a605d1bc0be48c5396c06 (patch) | |
| tree | 9742e657056b95cbd413a1db24a2148f181e06f8 /usr.sbin | |
| parent | ac75bc8f28649ab06beac0d936bac5f22de43add (diff) | |
getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)
contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
a matching entry before the first YP entry, use that and stay away from YP.
Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.
Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ypserv/mknetid/netid.5 | 96 |
1 files changed, 69 insertions, 27 deletions
diff --git a/usr.sbin/ypserv/mknetid/netid.5 b/usr.sbin/ypserv/mknetid/netid.5 index 8560fdf21e5..c22c4cb66cf 100644 --- a/usr.sbin/ypserv/mknetid/netid.5 +++ b/usr.sbin/ypserv/mknetid/netid.5 @@ -1,5 +1,6 @@ -.\" $OpenBSD: netid.5,v 1.11 2007/05/31 19:20:31 jmc Exp $ +.\" $OpenBSD: netid.5,v 1.12 2009/03/27 12:31:31 schwarze Exp $ .\" +.\" Copyright (c) 2008 Ingo Schwarze <schwarze@usta.de> .\" Copyright (c) 1996 Mats O Jansson <moj@stacken.kth.se> .\" All rights reserved. .\" @@ -24,54 +25,95 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: March 27 2009 $ .Dt NETID 5 .Os .Sh NAME .Nm netid -.Nd -.Nm YP -network credential file +.Nd YP network credential file .Sh DESCRIPTION -Files in -.Nm netid -format are rare. -One lives in the -.Nm YP -map -.Dq netid.byname . -The format is rather simple. -Each row consists of two items: a key and a value. -When created by -.Xr mknetid 8 -there are three types of records. +The file +.Pa /etc/netid +consists of newline separated ASCII records. +Each record consists of a key, a single blank character, and a value. +The key and the value may be arbitrary strings except that neither +may contain blank characters. .Pp -The first type is information about which GIDs a UID has: +Records in the file +.Pa /etc/netid +and in the +.Pa netid.byname +YP map are ignored by the system unless they have the following form: .Bd -literal -unix.<uid>@<yp-domain> <uid>:<gid>,<gid> +unix.<uid>@<yp-domain> <uid>:<gid>,<gid>,... .Ed .Pp -The second type contains information about hosts: +When YP is enabled in the +.Xr group 5 +file, such records specify that the function +.Xr getgrouplist 3 +shall return the specified groups in addition to the groups +found in the group file. +The file +.Pa /etc/netid +is parsed before the +.Pa netid.byname +YP map. +Only the first matching record is used. +.Pp +The main use of the +.Pa /etc/netid +file is to allow certain users to log in even while YP is enabled but +temporarily unavailable. +These users must also be listed in the local +.Xr master.passwd 5 +file. +If consistency of group membership information is required while YP is +enabled and available, all records in the +.Pa /etc/netid +file must agree with records in the +.Pa netid.byname +YP map, although the latter may contain additional records. +If consistency of group membership information is required even while YP is +enabled but unavailable, the records in the +.Pa /etc/netid +file must not grant more group memberships than the +.Xr group 5 +file, and users having their own record in the +.Pa /etc/netid +file must not show up in the +.Pa group.byname +and +.Pa group.bygid +YP maps. +.Pp +On a YP master server, +.Xr Makefile.yp 8 +uses the +.Xr mknetid 8 +utility to generate the +.Pa netid.byname +YP map. +In this case, the YP map will also contain records of the following form: .Bd -literal unix.<hostname>@<yp-domain> 0:<hostname> .Ed .Pp -The third type refers to records from a -.Nm netid -file other than the two types above. +Such records are ignored by the system. .Sh FILES .Bl -tag -width /etc/netid -compact .It Pa /etc/netid -for lines not generated automatically by -.Xr mknetid 8 . .El .Sh EXAMPLES -A configuration file might look like the following: -.Bd -literal +A netid file or YP map might look like the following: +.Bd -literal -offset indent unix.10714@kaka 10714:400,10 unix.jodie@kaka 0:jodie .Ed .Sh SEE ALSO +.Xr getgrouplist 3 , +.Xr group 5 , +.Xr Makefile.yp 8 , .Xr mknetid 8 , .Xr yp 8 .Sh AUTHORS |