getgrouplist: If YP is #defined and enabled in /etc/group(5) and /etc/netid(5)

  contains a matching entry, use that and refrain from accessing YP.
getpwnam/getpwuid: If YP is #defined and /etc/master.passwd(5) contains
  a matching entry before the first YP entry, use that and stay away from YP.

Taken together, this allows a solution to the following problem pointed
out by deraadt@: When YP was configured but temporarily unavailable, even
root login would block, hindering you when trying to do repairs.
To avoid this, you can now provide a static entry for root in /etc/netid.

Using suggestions from miod@ otto@ blambert@ jmc@.
"commit" deraadt@, "cool" ajacoutot@, "looks fine" jmc@.

6 files changed, 222 insertions, 101 deletions

diff --git a/lib/libc/gen/getgrouplist.3 b/lib/libc/gen/getgrouplist.3
index 925be3c1a9c..4774e39d651 100644
--- a/lib/libc/gen/getgrouplist.3
+++ b/lib/libc/gen/getgrouplist.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: getgrouplist.3,v 1.12 2008/07/28 20:19:32 jmc Exp $
+.\"	$OpenBSD: getgrouplist.3,v 1.13 2009/03/27 12:31:31 schwarze Exp $
 .\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 28 2008 $
+.Dd $Mdocdate: March 27 2009 $
 .Dt GETGROUPLIST 3
 .Os
 .Sh NAME
@@ -49,6 +49,8 @@ is automatically included in the groups list.
 Typically this value is given as
 the group number from the password file.
 If YP is active, the
+.Xr netid 5
+file and the
 .Pa netid.byname
 YP map will be used in addition to the group file.
 .Pp
@@ -76,6 +78,7 @@ group database file
 .Xr initgroups 3 ,
 .Xr yp_match 3 ,
 .Xr group 5 ,
+.Xr netid 5 ,
 .Xr yp 8
 .Sh HISTORY
 The
diff --git a/lib/libc/gen/getgrouplist.c b/lib/libc/gen/getgrouplist.c
index 639b8c009c6..846f0bc56cc 100644
--- a/lib/libc/gen/getgrouplist.c
+++ b/lib/libc/gen/getgrouplist.c
@@ -1,5 +1,6 @@
-/*	$OpenBSD: getgrouplist.c,v 1.15 2008/08/23 10:08:02 chl Exp $ */
+/*	$OpenBSD: getgrouplist.c,v 1.16 2009/03/27 12:31:31 schwarze Exp $ */
 /*
+ * Copyright (c) 2008 Ingo Schwarze <schwarze@usta.de>
  * Copyright (c) 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
@@ -44,6 +45,101 @@
 #include <rpcsvc/yp.h>
 #include <rpcsvc/ypclnt.h>
 
+#ifdef YP
+#define _PATH_NETID	"/etc/netid"
+#define MAXLINELENGTH	1024
+
+static int _parse_netid(char*, uid_t, gid_t*, int*, int);
+static int _read_netid(const char *, uid_t, gid_t*, int*, int);
+
+/*
+ * Parse one string of the form "uid:gid[,gid[,...]]".
+ * If the uid matches, add the groups to the group list.
+ * If the groups fit, return 1, otherwise return -1. 
+ * If the uid does not match, return 0.
+ */
+static int
+_parse_netid(char *netid, uid_t uid, gid_t *groups, int *ngroups,
+	     int maxgroups)
+{
+	const char *errstr = NULL;
+	char *start, *p;
+	uid_t tuid;
+	gid_t gid;
+	int i;
+
+	/* Check the uid. */
+	p = strchr(netid, ':');
+	if (!p)
+		return (0);
+	*p++ = '\0';
+	tuid = (uid_t)strtonum(netid, 0, UID_MAX, &errstr);
+	if (errstr || tuid != uid)
+		return (0);
+
+        /* Loop over the gids. */
+	while (p && *p) {
+		start = p;
+		p = strchr(start, ',');
+		if (p)
+			*p++ = '\0';
+		gid = (gid_t)strtonum(start, 0, GID_MAX, &errstr);
+		if (errstr)
+			continue;
+
+		/* Skip this group if it is already in the list. */
+		for (i = 0; i < *ngroups; i++)
+			if (groups[i] == gid)
+				break;
+
+		/* Try to add this new group to the list. */
+		if (i == *ngroups) {
+			if (*ngroups >= maxgroups)
+				return (-1);
+			groups[(*ngroups)++] = gid;
+		}
+	}
+	return (1);
+}
+
+/*
+ * Search /etc/netid for a particular uid and process that line.
+ * See _parse_netid for details, including return values.
+ */
+static int
+_read_netid(const char *key, uid_t uid, gid_t *groups, int *ngroups,
+	    int maxgroups)
+{
+	FILE *fp;
+	char line[MAXLINELENGTH], *p;
+	int found = 0;
+
+	fp = fopen(_PATH_NETID, "r");
+	if (!fp) 
+		return (0);
+	while (!found && fgets(line, sizeof(line), fp)) {
+		p = strchr(line, '\n');
+		if (p)
+			*p = '\0';
+		else { /* Skip lines that are too long. */
+			int ch;
+			while ((ch = getc(fp)) != '\n' && ch != EOF)
+				;
+			continue;
+		}
+		p = strchr(line, ' ');
+		if (!p)
+			continue;
+		*p++ = '\0';
+		if (strcmp(line, key))
+			continue;
+		found = _parse_netid(p, uid, groups, ngroups, maxgroups);
+	}
+	(void)fclose(fp);
+	return (found);
+}
+#endif /* YP */
+
 int
 getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
 {
@@ -92,70 +188,36 @@ getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
 
 #ifdef YP
 	/*
-	 * If we were told that there is a YP marker, look there now.
+	 * If we were told that there is a YP marker, look at netid data.
 	 */
 	if (needyp) {
-		char buf[1024], *ypdata = NULL, *key, *p;
-		const char *errstr = NULL;
+		char buf[MAXLINELENGTH], *ypdata = NULL, *key;
 		static char *__ypdomain;
 		struct passwd pwstore;
-		int r, ypdatalen;
-		gid_t gid;
-		uid_t uid;
-	
-		if (!__ypdomain) {
-			if (_yp_check(&__ypdomain) == 0) {
-				goto ypout;
-			}
-		}
-
-		if (getpwnam_r(uname, &pwstore, buf, sizeof buf, NULL))
-			goto ypout;
+		int ypdatalen;
 
+		/* Construct the netid key to look up. */
+		if (getpwnam_r(uname, &pwstore, buf, sizeof buf, NULL) ||
+		    !__ypdomain && yp_get_default_domain(&__ypdomain))
+			goto out;
 		asprintf(&key, "unix.%u@%s", pwstore.pw_uid, __ypdomain);
 		if (key == NULL)
-			goto ypout;
-		r = yp_match(__ypdomain, "netid.byname", key,
-		    (int)strlen(key), &ypdata, &ypdatalen);
-		free(key);
-		if (r != 0)
-			goto ypout;
+			goto out;
 
-		/* Parse the "uid:gid[,gid,gid[,...]]" string. */
-		p = strchr(ypdata, ':');
-		if (!p)
-			goto ypout;
-		*p++ = '\0';
-		uid = (uid_t)strtonum(ypdata, 0, UID_MAX, &errstr);
-		if (errstr || uid != pwstore.pw_uid)
-			goto ypout;
-		while (p && *p) {
-			char *start = p;
-
-			p = strchr(start, ',');
-			if (p)
-				*p++ = '\0';
-			gid = (uid_t)strtonum(start, 0, GID_MAX, &errstr);
-			if (errstr)
-				goto ypout;
-
-			/* Add new groups to the group list */
-			for (i = 0; i < ngroups; i++) {
-				if (groups[i] == gid)
-					break;
-			}
-			if (i == ngroups) {
-				if (ngroups >= maxgroups) {
-					ret = -1;
-					goto ypout;
-				}
-				groups[ngroups++] = gid;
-			}
-		}
-ypout:
-		if (ypdata)
-			free(ypdata);
-		goto out;
+		/* First scan the static netid file. */
+		if (ret = _read_netid(key, pwstore.pw_uid,
+				      groups, &ngroups, maxgroups))
+			goto out;
+
+		/* Only access YP when there is no static entry. */
+		if (!yp_bind(__ypdomain) &&
+		    !yp_match(__ypdomain, "netid.byname", key,
+			     (int)strlen(key), &ypdata, &ypdatalen))
+			ret = _parse_netid(ypdata, pwstore.pw_uid,
+			    		   groups, &ngroups, maxgroups);
+
+		free(key);
+		free(ypdata);
 	}
 #endif /* YP */
 
diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index 48b4e6f5e6a..fed489674ec 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: getpwent.c,v 1.38 2008/07/23 19:36:47 deraadt Exp $ */
+/*	$OpenBSD: getpwent.c,v 1.39 2009/03/27 12:31:31 schwarze Exp $ */
 /*
  * Copyright (c) 2008 Theo de Raadt
  * Copyright (c) 1988, 1993
@@ -577,21 +577,13 @@ static struct passwd *
 __yppwlookup(int lookup, char *name, uid_t uid, struct passwd *pw,
     char *buf, size_t buflen, int *flagsp)
 {
-	char bf[1 + _PW_NAME_LEN], *ypcurrent = NULL, *map;
+	char bf[1 + _PW_NAME_LEN], *ypcurrent = NULL, *map = NULL;
 	int yp_pw_flags = 0, ypcurrentlen, r, s = -1, pw_keynum;
 	static long yppbuf[_PW_BUF_LEN / sizeof(long)];
 	struct _ypexclude *ypexhead = NULL;
 	const char *host, *user, *dom;
 	DBT key;
 
-	if (lookup == LOOKUP_BYNAME) {
-		map = PASSWD_BYNAME;
-		name = strdup(name);
-	} else {
-		map = PASSWD_BYUID;
-		asprintf(&name, "%u", uid);
-	}
-
 	for (pw_keynum = 1; pw_keynum; pw_keynum++) {
 		bf[0] = _PW_KEYBYNUM;
 		bcopy((char *)&pw_keynum, &bf[1], sizeof(pw_keynum));
@@ -606,6 +598,15 @@ __yppwlookup(int lookup, char *name, uid_t uid, struct passwd *pw,
 					continue;
 			}
 			__ypproto_set(pw, yppbuf, *flagsp, &yp_pw_flags);
+			if (!map) {
+				if (lookup == LOOKUP_BYNAME) {
+					map = PASSWD_BYNAME;
+					name = strdup(name);
+				} else {
+					map = PASSWD_BYUID;
+					asprintf(&name, "%u", uid);
+				}
+			}
 
 			switch (pw->pw_name[1]) {
 			case '\0':
@@ -715,7 +716,8 @@ done:
 	if (ypcurrent)
 		free(ypcurrent);
 	ypcurrent = NULL;
-	free(name);
+	if (map)
+		free(name);
 	return (pw);
 }
 #endif /* YP */
diff --git a/share/man/man5/group.5 b/share/man/man5/group.5
index b828451b74e..302b80d88ac 100644
--- a/share/man/man5/group.5
+++ b/share/man/man5/group.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: group.5,v 1.12 2008/07/28 16:27:39 deraadt Exp $
+.\"	$OpenBSD: group.5,v 1.13 2009/03/27 12:31:31 schwarze Exp $
 .\"	$NetBSD: group.5,v 1.4 1995/07/28 06:41:39 phil Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
@@ -31,7 +31,7 @@
 .\"
 .\"     @(#)group.5	8.3 (Berkeley) 4/19/94
 .\"
-.Dd $Mdocdate: July 28 2008 $
+.Dd $Mdocdate: March 27 2009 $
 .Dt GROUP 5
 .Os
 .Sh NAME
@@ -130,6 +130,11 @@ See
 and
 .Xr getgrouplist 3
 for details.
+.Pp
+When YP is enabled but temporarily unavailable, login becomes impossible
+for all users except those having an entry in the
+.Xr netid 5
+file.
 .Sh FILES
 .Bl -tag -width /etc/group -compact
 .It Pa /etc/group
@@ -139,6 +144,7 @@ for details.
 .Xr setgroups 2 ,
 .Xr crypt 3 ,
 .Xr initgroups 3 ,
+.Xr netid 5 ,
 .Xr passwd 5 ,
 .Xr yp 8
 .Sh HISTORY
diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5
index 21b45e1ad33..d9faf023476 100644
--- a/share/man/man5/passwd.5
+++ b/share/man/man5/passwd.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: passwd.5,v 1.34 2008/10/22 20:31:20 jmc Exp $
+.\"	$OpenBSD: passwd.5,v 1.35 2009/03/27 12:31:31 schwarze Exp $
 .\"	$NetBSD: passwd.5,v 1.4 1995/07/28 06:46:05 phil Exp $
 .\"
 .\" Copyright (c) 1988, 1991, 1993
@@ -31,7 +31,7 @@
 .\"
 .\"     @(#)passwd.5	8.1 (Berkeley) 6/5/93
 .\"
-.Dd $Mdocdate: October 22 2008 $
+.Dd $Mdocdate: March 27 2009 $
 .Dt PASSWD 5
 .Os
 .Sh NAME
@@ -278,6 +278,11 @@ will result in
 containing:
 .Pp
 +:*:0:0:::
+.Pp
+When YP is enabled but temporarily unavailable, login becomes impossible
+for all users except those having an entry in the
+.Xr netid 5
+file.
 .Sh SEE ALSO
 .Xr chpass 1 ,
 .Xr login 1 ,
@@ -286,6 +291,7 @@ containing:
 .Xr getpwent 3 ,
 .Xr login.conf 5 ,
 .Xr netgroup 5 ,
+.Xr netid 5 ,
 .Xr adduser 8 ,
 .Xr Makefile.yp 8 ,
 .Xr pwd_mkdb 8 ,
diff --git a/usr.sbin/ypserv/mknetid/netid.5 b/usr.sbin/ypserv/mknetid/netid.5
index 8560fdf21e5..c22c4cb66cf 100644
--- a/usr.sbin/ypserv/mknetid/netid.5
+++ b/usr.sbin/ypserv/mknetid/netid.5
@@ -1,5 +1,6 @@
-.\"	$OpenBSD: netid.5,v 1.11 2007/05/31 19:20:31 jmc Exp $
+.\"	$OpenBSD: netid.5,v 1.12 2009/03/27 12:31:31 schwarze Exp $
 .\"
+.\" Copyright (c) 2008 Ingo Schwarze <schwarze@usta.de>
 .\" Copyright (c) 1996 Mats O Jansson <moj@stacken.kth.se>
 .\" All rights reserved.
 .\"
@@ -24,54 +25,95 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: March 27 2009 $
 .Dt NETID 5
 .Os
 .Sh NAME
 .Nm netid
-.Nd
-.Nm YP
-network credential file
+.Nd YP network credential file
 .Sh DESCRIPTION
-Files in
-.Nm netid
-format are rare.
-One lives in the
-.Nm YP
-map
-.Dq netid.byname .
-The format is rather simple.
-Each row consists of two items: a key and a value.
-When created by
-.Xr mknetid 8
-there are three types of records.
+The file
+.Pa /etc/netid
+consists of newline separated ASCII records.
+Each record consists of a key, a single blank character, and a value.
+The key and the value may be arbitrary strings except that neither
+may contain blank characters.
 .Pp
-The first type is information about which GIDs a UID has:
+Records in the file
+.Pa /etc/netid
+and in the
+.Pa netid.byname
+YP map are ignored by the system unless they have the following form:
 .Bd -literal
-unix.<uid>@<yp-domain> <uid>:<gid>,<gid>
+unix.<uid>@<yp-domain> <uid>:<gid>,<gid>,...
 .Ed
 .Pp
-The second type contains information about hosts:
+When YP is enabled in the
+.Xr group 5
+file, such records specify that the function
+.Xr getgrouplist 3
+shall return the specified groups in addition to the groups
+found in the group file.
+The file
+.Pa /etc/netid
+is parsed before the
+.Pa netid.byname
+YP map.
+Only the first matching record is used.
+.Pp
+The main use of the
+.Pa /etc/netid
+file is to allow certain users to log in even while YP is enabled but
+temporarily unavailable.
+These users must also be listed in the local
+.Xr master.passwd 5
+file.
+If consistency of group membership information is required while YP is
+enabled and available, all records in the
+.Pa /etc/netid
+file must agree with records in the
+.Pa netid.byname
+YP map, although the latter may contain additional records.
+If consistency of group membership information is required even while YP is
+enabled but unavailable, the records in the
+.Pa /etc/netid
+file must not grant more group memberships than the
+.Xr group 5
+file, and users having their own record in the
+.Pa /etc/netid
+file must not show up in the
+.Pa group.byname
+and
+.Pa group.bygid
+YP maps.
+.Pp
+On a YP master server,
+.Xr Makefile.yp 8
+uses the
+.Xr mknetid 8
+utility to generate the
+.Pa netid.byname
+YP map.
+In this case, the YP map will also contain records of the following form:
 .Bd -literal
 unix.<hostname>@<yp-domain> 0:<hostname>
 .Ed
 .Pp
-The third type refers to records from a
-.Nm netid
-file other than the two types above.
+Such records are ignored by the system.
 .Sh FILES
 .Bl -tag -width /etc/netid -compact
 .It Pa /etc/netid
-for lines not generated automatically by
-.Xr mknetid 8 .
 .El
 .Sh EXAMPLES
-A configuration file might look like the following:
-.Bd -literal
+A netid file or YP map might look like the following:
+.Bd -literal -offset indent
 unix.10714@kaka 10714:400,10
 unix.jodie@kaka 0:jodie
 .Ed
 .Sh SEE ALSO
+.Xr getgrouplist 3 ,
+.Xr group 5 ,
+.Xr Makefile.yp 8 ,
 .Xr mknetid 8 ,
 .Xr yp 8
 .Sh AUTHORS