>Number: 156945 >Category: misc >Synopsis: Name service Switch does not work as documented for group >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed May 11 02:40:02 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Brett Wynkoop >Release: 8.2 >Organization: Wynn Data Ltd. >Environment: FreeBSD fbsdvm.isprime.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 r219081M: Wed Mar 2 08:29:52 CET 2011 root@www4:/usr/obj/usr/src/sys/GENERIC amd64 >Description: I first observed this issue in FreeBSD 5, so this pertains to FreeBSD 5.x - 8.2 and probably into HEAD.
group does not honor the behavior documented in the nsswitch.conf man page. In specific: group: files ldap only files is ever consulted group: ldap files only /etc/group is ever consulted group: files [notfound=continue] ldap only /etc/group is consulted group: ldap [notfound=continue] files only ldap is consulted passwd seems to behave as documented with relation to nsswitch.conf settings. I believe that someone needs to look at the code pertaining to groups in what ever library nsswitch.conf is called from. This issue will effect anyone using groups from ldap, nis, or hessiod with the programs su or sudo. >How-To-Repeat: Put a user in group wheel on your ldap server or nis server or hesiod server, but not in group wheel on the local system and with the following entry in nsswitch.conf group: files ldap Then attempt to run su. You can also look at the output of getent group wheel >Fix: The same sort of code that is used with respect to passwd and hosts needs to be inserted into the libraries that deal with group and nsswitch.conf. >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
