Re: getnetgrent(3) fails to parse long netgroup entry if it is stored in NIS
Date: Tue, 15 Mar 2022 23:15:30 UTC
"man 5 netgroup" notes that a netgroup line is limited to
1024bytes.
Are you sure you haven't just exceeded this limit?
rick
________________________________________
From: owner-freebsd-current@freebsd.org <owner-freebsd-current@freebsd.org> on behalf of Yasuhiro Kimura <yasu@FreeBSD.org>
Sent: Tuesday, March 15, 2022 12:48 PM
To: freebsd-current@freebsd.org
Subject: getnetgrent(3) fails to parse long netgroup entry if it is stored in NIS
CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca
Hello,
I use netgroup stored in NIS database to control access to NFS server.
Recently I added some hosts to netgroup that access to NFS server is
permitted. And after that mountd(8) writes such messages as following
to syslog.
Mar 15 17:16:59 server mountd[4276]: can't get address info for host host34.nfs.
Mar 15 17:16:59 server mountd[4276]: bad host host34.nfs. in netgroup permitted_nfs_clients, skipping
The netgroup entry used to control access to NFS server includes a lot
of host such as following
----------------------------------------------------------------------
yasu@server[1002]% ypmatch -k permitted_nfs_clients netgroup
permitted_nfs_clients: (host01.nfs.example.com,,) (host02.nfs.example.com,,) (host03.nfs.example.com,,) (host04.nfs.example.com,,) (host05.nfs.example.com,,) (host06.nfs.example.com,,) (host07.nfs.example.com,,) (host08.nfs.example.com,,) (host09.nfs.example.com,,) (host10.nfs.example.com,,) (host11.nfs.example.com,,) (host12.nfs.example.com,,) (host13.nfs.example.com,,) (host14.nfs.example.com,,) (host15.nfs.example.com,,) (host16.nfs.example.com,,) (host17.nfs.example.com,,) (host18.nfs.example.com,,) (host19.nfs.example.com,,) (host20.nfs.example.com,,) (host21.nfs.example.com,,) (host22.nfs.example.com,,) (host23.nfs.example.com,,) (host24.nfs.example.com,,) (host25.nfs.example.com,,) (host26.nfs.example.com,,) (host27.nfs.example.com,,) (host28.nfs.example.com,,) (host29.nfs.example.com,,) (host30.nfs.example.com,,) (host31.nfs.example.com,,) (host32.nfs.example.com,,) (host33.nfs.example.com,,) (host34.nfs.example.com,,) (host35.nfs.example.com,,) (host36.nfs.example.com,,) (host37.nfs.example.com,,) (host38.nfs.example.com,,) (host39.nfs.example.com,,) (host40.nfs.example.com,,) (host41.nfs.example.com,,) (host42.nfs.example.com,,) (host43.nfs.example.com,,) (host44.nfs.example.com,,) (host45.nfs.example.com,,) (host46.nfs.example.com,,) (host47.nfs.example.com,,) (host48.nfs.example.com,,) (host49.nfs.example.com,,) (host50.nfs.example.com,,)
yasu@server[1054]%
----------------------------------------------------------------------
And if I remove host34.nfs.example.com from permitted_nfs_clients,
then syslog messages of mountd(1) changes as following.
Mar 15 17:16:59 server mountd[4276]: can't get address info for host host35.nfs.
Mar 15 17:16:59 server mountd[4276]: bad host host35.nfs. in netgroup permitted_nfs_clients, skipping
It seems to stop parsing the value of the netgroup entry in its middle
if the length is longer than a certain value.
I checked usr.sbin/mountd/mountd.c and found it uses getnetgrent(3) to
parse the value of netgroup entry. So I wrote following program to
check its behavior.
----------------------------------------------------------------------
yasu@server[1152]% cat list_netgroup_entry.c
#include <stdio.h>
#include <libgen.h>
#include <netdb.h>
int
main(int argc, char **argv)
{
if (argc != 2) {
fprintf(stderr, "Usage: %s NameOfNetgroup\n", basename(argv[0]));
return 1;
}
setnetgrent(argv[1]);
printf("netgroup: %s\n", argv[1]);
char *host, *user, *domain;
while (getnetgrent(&host, &user, &domain))
printf("\thost: %s, user: %s, domain: %s\n", host, user, domain);
endnetgrent();
return 0;
}
yasu@server[1152]%
----------------------------------------------------------------------
If netgroup entry is stored in /etc/netgroup, then the value is parsed
properly.
----------------------------------------------------------------------
yasu@server[1061]% cat /etc/netgroup
very_long_file_entry (host1.long.long.long.example.com,,) \
(host2.long.long.long.example.com,,) \
(host3.long.long.long.example.com,,) \
(host4.long.long.long.example.com,,) \
(host5.long.long.long.example.com,,) \
(host6.long.long.long.example.com,,) \
(host7.long.long.long.example.com,,) \
(host8.long.long.long.example.com,,) \
(host9.long.long.long.example.com,,) \
(host10.long.long.long.example.com,,) \
(host11.long.long.long.example.com,,) \
(host12.long.long.long.example.com,,) \
(host13.long.long.long.example.com,,) \
(host14.long.long.long.example.com,,) \
(host15.long.long.long.example.com,,) \
(host16.long.long.long.example.com,,) \
(host17.long.long.long.example.com,,) \
(host18.long.long.long.example.com,,) \
(host19.long.long.long.example.com,,) \
(host20.long.long.long.example.com,,) \
(host21.long.long.long.example.com,,) \
(host22.long.long.long.example.com,,) \
(host23.long.long.long.example.com,,) \
(host24.long.long.long.example.com,,) \
(host25.long.long.long.example.com,,) \
(host26.long.long.long.example.com,,) \
(host27.long.long.long.example.com,,) \
(host28.long.long.long.example.com,,) \
(host29.long.long.long.example.com,,) \
(host30.long.long.long.example.com,,)
+
yasu@server[1062]% ./list_netgroup_entry very_long_file_entry
netgroup: very_long_file_entry
host: host30.long.long.long.example.com, user: , domain:
host: host29.long.long.long.example.com, user: , domain:
host: host28.long.long.long.example.com, user: , domain:
host: host27.long.long.long.example.com, user: , domain:
host: host26.long.long.long.example.com, user: , domain:
host: host25.long.long.long.example.com, user: , domain:
host: host24.long.long.long.example.com, user: , domain:
host: host23.long.long.long.example.com, user: , domain:
host: host22.long.long.long.example.com, user: , domain:
host: host21.long.long.long.example.com, user: , domain:
host: host20.long.long.long.example.com, user: , domain:
host: host19.long.long.long.example.com, user: , domain:
host: host18.long.long.long.example.com, user: , domain:
host: host17.long.long.long.example.com, user: , domain:
host: host16.long.long.long.example.com, user: , domain:
host: host15.long.long.long.example.com, user: , domain:
host: host14.long.long.long.example.com, user: , domain:
host: host13.long.long.long.example.com, user: , domain:
host: host12.long.long.long.example.com, user: , domain:
host: host11.long.long.long.example.com, user: , domain:
host: host10.long.long.long.example.com, user: , domain:
host: host9.long.long.long.example.com, user: , domain:
host: host8.long.long.long.example.com, user: , domain:
host: host7.long.long.long.example.com, user: , domain:
host: host6.long.long.long.example.com, user: , domain:
host: host5.long.long.long.example.com, user: , domain:
host: host4.long.long.long.example.com, user: , domain:
host: host3.long.long.long.example.com, user: , domain:
host: host2.long.long.long.example.com, user: , domain:
host: host1.long.long.long.example.com, user: , domain:
yasu@server[1063]%
----------------------------------------------------------------------
But if it is stored in NIS database, then parsing stops at the middle
of it.
----------------------------------------------------------------------
yasu@server[1063]% ypmatch -k very_long_nis_entry netgroup
very_long_nis_entry: (host1.long.long.long.example.com,,) (host2.long.long.long.example.com,,) (host3.long.long.long.example.com,,) (host4.long.long.long.example.com,,) (host5.long.long.long.example.com,,) (host6.long.long.long.example.com,,) (host7.long.long.long.example.com,,) (host8.long.long.long.example.com,,) (host9.long.long.long.example.com,,) (host10.long.long.long.example.com,,) (host11.long.long.long.example.com,,) (host12.long.long.long.example.com,,) (host13.long.long.long.example.com,,) (host14.long.long.long.example.com,,) (host15.long.long.long.example.com,,) (host16.long.long.long.example.com,,) (host17.long.long.long.example.com,,) (host18.long.long.long.example.com,,) (host19.long.long.long.example.com,,) (host20.long.long.long.example.com,,) (host21.long.long.long.example.com,,) (host22.long.long.long.example.com,,) (host23.long.long.long.example.com,,) (host24.long.long.long.example.com,,) (host25.long.long.long.example.com,,) (host26.long.long.long.example.com,,) (host27.long.long.long.example.com,,) (host28.long.long.long.example.com,,) (host29.long.long.long.example.com,,) (host30.long.long.long.example.com,,)
yasu@server[1064]% ./list_netgroup_entry very_long_nis_entry
netgroup: very_long_nis_entry
host: host25.long.long.long.examp, user: , domain:
host: host24.long.long.long.example.com, user: , domain:
host: host23.long.long.long.example.com, user: , domain:
host: host22.long.long.long.example.com, user: , domain:
host: host21.long.long.long.example.com, user: , domain:
host: host20.long.long.long.example.com, user: , domain:
host: host19.long.long.long.example.com, user: , domain:
host: host18.long.long.long.example.com, user: , domain:
host: host17.long.long.long.example.com, user: , domain:
host: host16.long.long.long.example.com, user: , domain:
host: host15.long.long.long.example.com, user: , domain:
host: host14.long.long.long.example.com, user: , domain:
host: host13.long.long.long.example.com, user: , domain:
host: host12.long.long.long.example.com, user: , domain:
host: host11.long.long.long.example.com, user: , domain:
host: host10.long.long.long.example.com, user: , domain:
host: host9.long.long.long.example.com, user: , domain:
host: host8.long.long.long.example.com, user: , domain:
host: host7.long.long.long.example.com, user: , domain:
host: host6.long.long.long.example.com, user: , domain:
host: host5.long.long.long.example.com, user: , domain:
host: host4.long.long.long.example.com, user: , domain:
host: host3.long.long.long.example.com, user: , domain:
host: host2.long.long.long.example.com, user: , domain:
host: host1.long.long.long.example.com, user: , domain:
yasu@server[1065]%
----------------------------------------------------------------------
So it seems getnetgrent(3) fails to parse long netgroup entry if it is
stored in NIS.
---
Yasuhiro Kimura