the innetgr() helper routine _listmatch() in /usr/src/lib/libc/gen/getnetgrent.c returns false positives for netgroups that match the regular expression '^.*group$' (substitute for group). This allows for "surprising" entries in the password file to be used. For example, if your password file contains entries like this: +@baduser:::::::::/bin/abusemsg +@user:::::::::/bin/sh a user in the "user" netgroup *may* get the "baduser" shell. (depends on the order of the user's entry in netgroups.byuser) Fix: The following _listmatch() routine may work better: static int _listmatch(list, group, len) char *list, *group; int len; { char *ptr = list; int glen = strlen(group); while ( (ptr = strstr(ptr, group)) ) { ptr += glen; if ((ptr-glen == list || ptr[-glen-1] == ',') && (*ptr == ',' || *ptr == '\0')) return(1); } return(0); } How-To-Repeat: create NIS users a and b place user a in netgroup baduser place user b in netgroup user Add the above two lines to the password file Notice how user b is treated like a "baduser"
State Changed From-To: open->closed Fixed in rev 1.23 (in -current) and 1.17.2.4 (in RELENG_2_2) of getnetgrent.c. I rewrite _listmatch() so that it no longer returns false matches.