Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group

To: Vincent Lefevre <vincent@vinc17.org>, 295680@bugs.debian.org
Cc: Lars Wirzenius <liw@iki.fi>
Subject: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
From: GOMBAS Gabor <gombasg@sztaki.hu>
Date: Sat, 18 Jun 2005 23:55:13 +0200
Message-id: <[🔎] 20050618215512.GA8408@boogie.lpds.sztaki.hu>
Reply-to: GOMBAS Gabor <gombasg@sztaki.hu>, 295680@bugs.debian.org
In-reply-to: <[🔎] 20050617175610.GB29111@ay.vinc17.org>
References: <[🔎] 1118962988.8559.49.camel@esme.liw.iki.fi> <[🔎] 20050617065153.GD4741@ay.vinc17.org> <[🔎] 20050617163601.GG4075@boogie.lpds.sztaki.hu> <[🔎] 20050617175610.GB29111@ay.vinc17.org>

On Fri, Jun 17, 2005 at 07:56:10PM +0200, Vincent Lefevre wrote:

> Lots of Debian packages create local groups (and in fact, this is the
> only problem I have with local groups). So, what do you suggest? Not
> using Debian because it is a security bug?

No. But if you want to use NIS you have to be familiar with the
consequences. If your local NIS policy allows having groups with IDs <
1000 in NIS maps, then you should better be prepared that automatic group
creation _will_ fail and you have to fix it up manually. There is nothing
Debian can do about it.

> > > $ ./grname doctex
> > > 42 (doctex)
> > > $ ./grname 42
> > > 42 (shadow)
> >  
> > Yes, it is correct as far as libc is concerned. It is simply a
> > system administration error.
> 
> So, this is a bug in Debian.

No, it's a bug in your local NIS policy if you allow group IDs < 1000
being served by NIS and still expect automatic local system group
creation to work.

> I don't have such information, but I could probably ask them. The
> problem is that they don't support Debian, so that their group id
> range will conflict with Debian's group id range (in particular
> because some group ids are hardcoded in Debian).

Then you have no other option than to synchronize your local group IDs
with NIS manually.

NIS enforces a central policy that is defined by the NIS administrators.
The package management system has no way to know about that policy. If
you want to be part of a NIS setup you have to manually adapt the local
system configuration to match the central policy.

Of course, if you do not have a well-defined and well-designed NIS
policy but rather it was just an ad-hoc setup then you will have
difficulties...

> Moreover, if some group exists in the NIS database, why isn't it
> possible to have a copy (with the same group id) in /etc/groups?
> This could be useful when the NIS server is down, for instance.

It is possible but you have to do it manually. This cannot be automated
in general (think about the group ID being changed in NIS but not in
your local copy).

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------

Reply to:

Follow-Ups:
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Vincent Lefevre <vincent@vinc17.org>

References:
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Lars Wirzenius <liw@iki.fi>
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Vincent Lefevre <vincent@vinc17.org>
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: GOMBAS Gabor <gombasg@sztaki.hu>
- Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
  - From: Vincent Lefevre <vincent@vinc17.org>

Prev by Date: Online computer solutions.
Next by Date: Bug#314855: tr_TR.ISO-8859-9...LC_MONETARY: `int_curr_symbol' does not correspond to valid name
Previous by thread: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
Next by thread: Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
Index(es):
- Date
- Thread