Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group

To: GOMBAS Gabor <gombasg@sztaki.hu>
Cc: 295680@bugs.debian.org, Lars Wirzenius <liw@iki.fi>
Subject: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
From: Vincent Lefevre <vincent@vinc17.org>
Date: Fri, 17 Jun 2005 19:56:10 +0200
Message-id: <[🔎] 20050617175610.GB29111@ay.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.org>, 295680@bugs.debian.org
In-reply-to: <[🔎] 20050617163601.GG4075@boogie.lpds.sztaki.hu>
References: <[🔎] 1118962988.8559.49.camel@esme.liw.iki.fi> <[🔎] 20050617065153.GD4741@ay.vinc17.org> <[🔎] 20050617163601.GG4075@boogie.lpds.sztaki.hu>

On 2005-06-17 18:36:17 +0200, GOMBAS Gabor wrote:
> On Fri, Jun 17, 2005 at 08:51:53AM +0200, Vincent Lefevre wrote:
> > So, that would also make programs that rely on /etc/group being used
> > buggy. IIRC, when I want to add a local group with addgroup, it checks
> > first if it exists with getgrnam, and refuses to create it if it can
> > be found. And this is an error if the group exists on NIS, but not
> > locally in /etc/groups.
> 
> Huh? I was administering a large NIS setup a couple of years ago and
> this _is_ the only acceptable behaviour. I'd consider blindly creating a
> local group if it already exists in NIS a serious security bug as it may
> silently break local group-based authentication schemes.

Lots of Debian packages create local groups (and in fact, this is the
only problem I have with local groups). So, what do you suggest? Not
using Debian because it is a security bug?

> > $ ./grname doctex
> > 42 (doctex)
> > $ ./grname 42
> > 42 (shadow)
>  
> Yes, it is correct as far as libc is concerned. It is simply a
> system administration error.

So, this is a bug in Debian.

> When I was a NIS admin we had a document clearly defining the range
> of user and group IDs allowed to exist both in NIS and on the local
> machines (and it did include synchronizing even some system user and
> group IDs like "mail" over several operating systems). You simply
> cannot manage NIS without well-defined administrative rules.

I don't have such information, but I could probably ask them. The
problem is that they don't support Debian, so that their group id
range will conflict with Debian's group id range (in particular
because some group ids are hardcoded in Debian).

Moreover, if some group exists in the NIS database, why isn't it
possible to have a copy (with the same group id) in /etc/groups?
This could be useful when the NIS server is down, for instance.

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA

Reply to:

Follow-Ups:
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: GOMBAS Gabor <gombasg@sztaki.hu>

References:
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Lars Wirzenius <liw@iki.fi>
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Vincent Lefevre <vincent@vinc17.org>
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: GOMBAS Gabor <gombasg@sztaki.hu>

Prev by Date: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
Next by Date: Bug#314717: [locales] Maintainer scripts may misbehave under et_EE locale
Previous by thread: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
Next by thread: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
Index(es):
- Date
- Thread