Re: pw_user.c change for samba ( perl scripts!)
I can't find any shell script 'adduser' in http://www.freebsd.org/cgi/cvsweb.cgi/ Where can I find it? I'm not sure about the one Terry (?) mentioned, but I have a shell replacement for adduser that's 98% complete. There's one remaining bug. I wasn't going to say anything until I had rmuser done as well (it's not, yet). If people are interested I clean up the adduser part and put it up for FTP. (FWIW, my version front-ends pw, and takes it's policy from pw.conf.) --lyndon To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
On Sat, Nov 30, 2002 at 10:24:58PM -0500 I heard the voice of
Garance A Drosihn, and lo! it spake thus:
However, that doesn't answer the question of which 'adduser' is
actually expected to be used in 5.0-current. Does someone have
the shell-script (non-perl) version of adduser? Is it named
something else, perhaps?
Or are we going to ship 5.0-release with an 'adduser' that does
require perl, even though perl is not in the base system?
I've had, among my stalled ideas, an intent to rewrite {add,rm}user in C
backending into pw(8) for all the dirty work. Of course, that's waiting
for me to complete my porcine aviation instruction.
--
Matthew Fuller (MF4839) | [EMAIL PROTECTED]
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
The only reason I'm burning my candle at both ends, is because I
haven't figured out how to light the middle yet
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
At 7:06 PM -0800 11/27/02, Terry Lambert wrote: NAKAJI Hiroyuki wrote: My /usr/sbin/adduser, updated on Nov/23/2002 21:58 JST, does not call pw command. It adds account to /etc/master.passwd and invokes 'pwd_mkdb'. See 'sub new_users' function in /usr/sbin/adduser. There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. One of them pukes on the trailing $, and the other doesn't. It's confusing, unless you caught that we were talking about most recent -current. Well, I took Terry's earlier patch to 'pw', and modified it so that login names can include a trailing '$' (among other things). I tried this, and immediately ran into the problem that 'pw' wants to create a group-name the same as the login-name. Perhaps it would be best for us just to leave it such that any valid login name is also a valid group name. So, I should probably redo this update again, because it can be much simpler. However, that doesn't answer the question of which 'adduser' is actually expected to be used in 5.0-current. Does someone have the shell-script (non-perl) version of adduser? Is it named something else, perhaps? Or are we going to ship 5.0-release with an 'adduser' that does require perl, even though perl is not in the base system? -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba ( perl scripts!)
On 28 Nov 2002 at 0:05, Garance A Drosihn wrote... At 1:24 PM +0900 11/28/02, NAKAJI Hiroyuki wrote: In [EMAIL PROTECTED] Terry Lambert [EMAIL PROTECTED] wrote: There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. I can't find any shell script 'adduser' in http://www.freebsd.org/cgi/cvsweb.cgi/ Where can I find it? Hmm, I also see only the perl-script one. I could have sworn that this had been rewritten as part of moving perl out of the base system. Hrm. *That* implies the base system might still have some perl scripts lying around. I just cvsupped and the adduser perl script is still the one used. Bruno Miguel Afonso, Biological Eng. student. brunomiguel at dequim dot ist dot utl dot pt D.E.Q. @ I.S.T. - Portugal Linux is for Microsoft haters. BSD is for Unix lovers. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
pw_user.c change for samba
I know we're in a code freeze right now, but would anyone have a
problem with this patch once the freeze is up? This brings us closer
to allowing samba to automatically joining machines to the domain.
--
David W. Chapman Jr.
[EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net
[EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org
Index: pw_user.c
===
RCS file: /home/ncvs/src/usr.sbin/pw/pw_user.c,v
retrieving revision 1.51
diff -u -r1.51 pw_user.c
--- pw_user.c 24 Jun 2002 11:33:17 - 1.51
+++ pw_user.c 27 Nov 2002 19:07:02 -
@@ -1195,7 +1195,7 @@
pw_checkname(u_char *name, int gecos)
{
int l = 0;
- char const *notch = gecos ? :!@ : ,\t:+#%$^()!@~*?=|\\/\;
+ char const *notch = gecos ? :!@ : ,\t:+#%^()!@~*?=|\\/\;
while (name[l]) {
if (strchr(notch, name[l]) != NULL || name[l] ' ' || name[l] == 127
||
Re: pw_user.c change for samba
On Wed, Nov 27, 2002 at 02:32:22PM -0500, David Rhodus wrote: Can you provide more meaning as to what the patch does? It allows usage of $ signs for adding users like pw add user asdf$ which for samba asdf$ would be a computer name -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David W. Chapman Jr. wrote: I know we're in a code freeze right now, but would anyone have a problem with this patch once the freeze is up? This brings us closer to allowing samba to automatically joining machines to the domain. This change permits '$' in the account name, group name, and login class fields. Why is this actually necessary for SAMBA? Is it necessary for all three of these to permit this, or is it sufficient to (for example) allow it in the group name? -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
* De: Terry Lambert [EMAIL PROTECTED] [ Data: 2002-11-27 ] [ Subjecte: Re: pw_user.c change for samba ] David W. Chapman Jr. wrote: I know we're in a code freeze right now, but would anyone have a problem with this patch once the freeze is up? This brings us closer to allowing samba to automatically joining machines to the domain. This change permits '$' in the account name, group name, and login class fields. Why is this actually necessary for SAMBA? Go read the SAMBA website, there's a good deal about how us lucky FreeBSD + SAMBA users get to vipw+vi /etc/group by hand, since pw(8) doesn't let one do what [adduser] does. -- Juli Mallett [EMAIL PROTECTED] OpenDarwin, Mono, FreeBSD Developer. ircd-hybrid Developer, EFnet addict. FreeBSD on MIPS-Anything on FreeBSD. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
Why is this actually necessary for SAMBA? Is it necessary for all three of these to permit this, or is it sufficient to (for example) allow it in the group name? Samba needs a user account for the domain machine account the machine account always ends with a $ So it would only have to be for the account name -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
Go read the SAMBA website, there's a good deal about how us lucky FreeBSD + SAMBA users get to vipw+vi /etc/group by hand, since pw(8) doesn't let one do what [adduser] does. Last I checked adduser doesn't even let you use $ It claims to support it with the RE it shows you, but then when you try to add a user with a $ in it, it says you've entered an invalid user name. -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David W. Chapman Jr. wrote: Why is this actually necessary for SAMBA? Is it necessary for all three of these to permit this, or is it sufficient to (for example) allow it in the group name? Samba needs a user account for the domain machine account the machine account always ends with a $ So it would only have to be for the account name I gathered that from the SAMBA site, too. The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the variable expansion. It seems to me that this could cause a great deal of problems for scripts that process the password files, as they currently exist, if they use constructs like eval, or back-ticks, etc.. If it's allowed, it whould probably only be allowed in the user name (i.e. the patch is wrong; it should probably add another parameter to the allowable values of 'int gecos', and change it to 'int checktype' or similar). It seems to me that another alternative is that all these names end in '$'; therefore, when you are expecting one of these names, you could imply a '$', without needing to actually have it in the password file -- in other words, it's an attribute, not really part of the account name. Will this open up a security hole for a nomal user account being used to compromise the domain system security? Is it absolutely necessary to use an in-band method to distinguish these records from ordinary user accounts? If the answer to either of these is no, then it seems that implying the '$', rather than permitting it directly, would be best, to keep scripts working. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
I gathered that from the SAMBA site, too. The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the variable expansion. The patch I sent in works with pw add user asdf$, but you may be right about scripts if the $ is at the beginning. It seems to me that this could cause a great deal of problems for scripts that process the password files, as they currently exist, if they use constructs like eval, or back-ticks, etc.. The problems are already being caused though. If one wants samba to work on NT/2K/XP they have to manually add these entries in now anyway. If it's allowed, it whould probably only be allowed in the user name (i.e. the patch is wrong; it should probably add another parameter to the allowable values of 'int gecos', and change it to 'int checktype' or similar). I don't have a problem with this, but the patch I sent in is the extent of my abilities to give me desired results(making pw like samba) It seems to me that another alternative is that all these names end in '$'; therefore, when you are expecting one of these names, you could imply a '$', without needing to actually have it in the password file -- in other words, it's an attribute, not really part of the account name. Will this open up a security hole for a nomal user account being used to compromise the domain system security? Is it absolutely necessary to use an in-band method to distinguish these records from ordinary user accounts? I don't think the samba people would be willing to make this type of change just for FreeBSD since it works for most everyone else. I also don't think there is currently a way to store attributes about machines/users permanently in samba. -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
At 2:34 PM -0600 11/27/02, David W. Chapman Jr. wrote: Why is this actually necessary for SAMBA? Is it necessary for all three of these to permit this, or is it sufficient to (for example) allow it in the group name? Samba needs a user account for the domain machine account the machine account always ends with a $ So it would only have to be for the account name I think I'd prefer a somewhat more involved change, one which allowed $ only for account-name, and only as the last character. That seems like a good idea to me. But then, I'm not volunteering to write it... :-) -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David W. Chapman Jr. wrote:
If it's allowed, it whould probably only be allowed in the
user name (i.e. the patch is wrong; it should probably add
another parameter to the allowable values of 'int gecos', and
change it to 'int checktype' or similar).
I don't have a problem with this, but the patch I sent in is the
extent of my abilities to give me desired results(making pw like
samba)
See attached patch. It could still screw scripts (e.g. the perl
script version of adduser) by allowing the $ in the login
field, but at least it keeps it out of the login class and group
fields.
See below, though: I don't think '$' should be permitted.
It seems to me that another alternative is that all these
names end in '$'; therefore, when you are expecting one of
these names, you could imply a '$', without needing to actually
have it in the password file -- in other words, it's an
attribute, not really part of the account name.
Will this open up a security hole for a nomal user account
being used to compromise the domain system security? Is it
absolutely necessary to use an in-band method to distinguish
these records from ordinary user accounts?
I don't think the samba people would be willing to make this type of
change just for FreeBSD since it works for most everyone else. I
also don't think there is currently a way to store attributes about
machines/users permanently in samba.
I think you misunderstand.
The intent is to allow accounts without $ appended to be used
as machine logins. Samba would see the '$', remove it, and check
normally.
The potential problem is that normal user accounts could be used
in place of machines.
The proper BSD way to avoid this hack would be to add a login
class samba_server (or whatever), and make Samba permit this
type of check only if the user was in the correct login class.
-- Terry
Index: pw.h
===
RCS file: /cvs/src/usr.sbin/pw/pw.h,v
retrieving revision 1.13
diff -c -r1.13 pw.h
*** pw.h5 Jul 2001 08:01:15 - 1.13
--- pw.h27 Nov 2002 17:21:03 -
***
*** 62,67
--- 62,74
W_NUM
};
+ enum _checktype
+ {
+ PWC_DEFAULT,
+ PWC_GECOS,
+ PWC_LOGIN
+ };
+
struct carg
{
int ch;
***
*** 105,111
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char*pw_checkname(u_char *name, int gecos);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
--- 112,118
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char*pw_checkname(u_char *name, enum _checktype checktype);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
Index: pw_user.c
===
RCS file: /cvs/src/usr.sbin/pw/pw_user.c,v
retrieving revision 1.51
diff -c -r1.51 pw_user.c
*** pw_user.c 24 Jun 2002 11:33:17 - 1.51
--- pw_user.c 27 Nov 2002 17:30:43 -
***
*** 231,237
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf-default_class = pw_checkname((u_char *)arg-val, 0);
if ((arg = getarg(args, 'G')) != NULL arg-val) {
int i = 0;
--- 231,237
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf-default_class = pw_checkname((u_char *)arg-val, PWC_DEFAULT);
if ((arg = getarg(args, 'G')) != NULL arg-val) {
int i = 0;
***
*** 293,299
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name-val, 0));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
--- 293,299
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name-val, PWC_LOGIN));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
***
*** 455,461
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd-pw_name, root) == 0)
errx(EX_DATAERR, can't rename `root' account);
! pwd-pw_name = pw_checkname((u_char *)arg-val, 0);
edited = 1;
}
--- 455,461
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd-pw_name, root) == 0)
errx(EX_DATAERR, can't rename `root' account);
! pwd-pw_name = pw_checkname((u_char *)arg-val, PWC_LOGIN);
edited = 1;
}
***
*** 595,601
* Shared add/edit code
Re: pw_user.c change for samba
Garance A Drosihn wrote: the machine account always ends with a $ So it would only have to be for the account name I think I'd prefer a somewhat more involved change, one which allowed $ only for account-name, and only as the last character. That seems like a good idea to me. But then, I'm not volunteering to write it... :-) My change doesn't allow it only for the last, but it does restrict it to the login name. I notice that pw.h exports the code. If somone is using the function from outside, that's probably something that needs to be considered. I've changed the prototype, so that it will at least complain on compilation, if someone is using the code that way. I think the $ on the end worked because of the dangling $ handling in the shell they they happened to be using; the original example namess are still broken for some shells, with no back-quoting. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
Oops. Better patch attached (damn Makefile dependencies are
broken unless you manually build them via make depend).
-- Terry
Index: pw.h
===
RCS file: /cvs/src/usr.sbin/pw/pw.h,v
retrieving revision 1.13
diff -c -r1.13 pw.h
*** pw.h5 Jul 2001 08:01:15 - 1.13
--- pw.h27 Nov 2002 17:21:03 -
***
*** 62,67
--- 62,74
W_NUM
};
+ enum _checktype
+ {
+ PWC_DEFAULT,
+ PWC_GECOS,
+ PWC_LOGIN
+ };
+
struct carg
{
int ch;
***
*** 105,111
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char*pw_checkname(u_char *name, int gecos);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
--- 112,118
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char*pw_checkname(u_char *name, enum _checktype checktype);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
Index: pw_group.c
===
RCS file: /cvs/src/usr.sbin/pw/pw_group.c,v
retrieving revision 1.13
diff -c -r1.13 pw_group.c
*** pw_group.c 22 Jun 2000 16:48:41 - 1.13
--- pw_group.c 27 Nov 2002 17:44:10 -
***
*** 135,141
grp-gr_gid = (gid_t) atoi(a_gid-val);
if ((arg = getarg(args, 'l')) != NULL)
! grp-gr_name = pw_checkname((u_char *)arg-val, 0);
} else {
if (a_name == NULL) /* Required */
errx(EX_DATAERR, group name required);
--- 135,141
grp-gr_gid = (gid_t) atoi(a_gid-val);
if ((arg = getarg(args, 'l')) != NULL)
! grp-gr_name = pw_checkname((u_char *)arg-val, PWC_DEFAULT);
} else {
if (a_name == NULL) /* Required */
errx(EX_DATAERR, group name required);
***
*** 145,151
extendarray(members, grmembers, 200);
members[0] = NULL;
grp = fakegroup;
! grp-gr_name = pw_checkname((u_char *)a_name-val, 0);
grp-gr_passwd = *;
grp-gr_gid = gr_gidpolicy(cnf, args);
grp-gr_mem = members;
--- 145,151
extendarray(members, grmembers, 200);
members[0] = NULL;
grp = fakegroup;
! grp-gr_name = pw_checkname((u_char *)a_name-val, PWC_DEFAULT);
grp-gr_passwd = *;
grp-gr_gid = gr_gidpolicy(cnf, args);
grp-gr_mem = members;
Index: pw_user.c
===
RCS file: /cvs/src/usr.sbin/pw/pw_user.c,v
retrieving revision 1.51
diff -c -r1.51 pw_user.c
*** pw_user.c 24 Jun 2002 11:33:17 - 1.51
--- pw_user.c 27 Nov 2002 17:30:43 -
***
*** 231,237
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf-default_class = pw_checkname((u_char *)arg-val, 0);
if ((arg = getarg(args, 'G')) != NULL arg-val) {
int i = 0;
--- 231,237
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf-default_class = pw_checkname((u_char *)arg-val, PWC_DEFAULT);
if ((arg = getarg(args, 'G')) != NULL arg-val) {
int i = 0;
***
*** 293,299
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name-val, 0));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
--- 293,299
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name-val, PWC_LOGIN));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
***
*** 455,461
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd-pw_name, root) == 0)
errx(EX_DATAERR, can't rename `root' account);
! pwd-pw_name = pw_checkname((u_char *)arg-val, 0);
edited = 1;
}
--- 455,461
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd-pw_name, root) == 0)
errx(EX_DATAERR, can't rename `root' account);
! pwd-pw_name = pw_checkname((u_char *)arg-val, PWC_LOGIN);
edited = 1;
}
***
*** 595,601
* Shared add/edit code
*/
if ((arg = getarg(args, 'c')) != NULL) {
!
Re: pw_user.c change for samba
On Wed, Nov 27, 2002 at 01:37:05PM -0800, Terry Lambert wrote: David W. Chapman Jr. wrote: If it's allowed, it whould probably only be allowed in the user name (i.e. the patch is wrong; it should probably add another parameter to the allowable values of 'int gecos', and change it to 'int checktype' or similar). I don't have a problem with this, but the patch I sent in is the extent of my abilities to give me desired results(making pw like samba) See attached patch. It could still screw scripts (e.g. the perl script version of adduser) by allowing the $ in the login field, but at least it keeps it out of the login class and group fields. That sounds great! I think you misunderstand. The intent is to allow accounts without $ appended to be used as machine logins. Samba would see the '$', remove it, and check normally. The proper BSD way to avoid this hack would be to add a login class samba_server (or whatever), and make Samba permit this type of check only if the user was in the correct login class. Unfortunately they have to support more than just BSD, but I do agree with you that there is probably a better way of doing things. I am just not technically inclined enough to bring this to the attention of the samba team properly. I do have some contacts I could forward to anyone that is interested in trying to persuade them though. -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. www.inethouston.net [EMAIL PROTECTED] FreeBSD Committer www.FreeBSD.org To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
On 2002-11-27 12:55, Terry Lambert [EMAIL PROTECTED] wrote: It seems to me that another alternative is that all these names end in '$'; therefore, when you are expecting one of these names, you could imply a '$', without needing to actually have it in the password file -- in other words, it's an attribute, not really part of the account name. Will this open up a security hole for a nomal user account being used to compromise the domain system security? Probably 'yes'. I haven't tried this, but I guess one could name his machine Administrator. When that username is passed around, is it clear that it is a machine name and not a user name? I guess that if this way someone just might trick a remote SMB server that his username is 'Administrator' by changing his local machine's name, we have a problem... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
* De: Terry Lambert [EMAIL PROTECTED] [ Data: 2002-11-27 ] [ Subjecte: Re: pw_user.c change for samba ] David W. Chapman Jr. wrote: Why is this actually necessary for SAMBA? Is it necessary for all three of these to permit this, or is it sufficient to (for example) allow it in the group name? Samba needs a user account for the domain machine account the machine account always ends with a $ So it would only have to be for the account name I gathered that from the SAMBA site, too. The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the variable expansion. Your foundation is flawed, we allow $ in passwd just fine, and the only problem here is whether a pw should let someone do something we support which they might need to do. Juli. -- Juli Mallett [EMAIL PROTECTED] OpenDarwin, Mono, FreeBSD Developer. ircd-hybrid Developer, EFnet addict. FreeBSD on MIPS-Anything on FreeBSD. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David W. Chapman Jr. wrote: On Wed, Nov 27, 2002 at 01:37:05PM -0800, Terry Lambert wrote: David W. Chapman Jr. wrote: If it's allowed, it whould probably only be allowed in the user name (i.e. the patch is wrong; it should probably add another parameter to the allowable values of 'int gecos', and change it to 'int checktype' or similar). I don't have a problem with this, but the patch I sent in is the extent of my abilities to give me desired results(making pw like samba) See attached patch. It could still screw scripts (e.g. the perl script version of adduser) by allowing the $ in the login field, but at least it keeps it out of the login class and group fields. That sounds great! I think you misunderstand. The intent is to allow accounts without $ appended to be used as machine logins. Samba would see the '$', remove it, and check normally. The proper BSD way to avoid this hack would be to add a login class samba_server (or whatever), and make Samba permit this type of check only if the user was in the correct login class. I have just forwared the above suggestion to Volker Lendecke from the samba team, since: 1. It makes perfect sense at least to me. 2. Accidentally I know him personally, so he will not mind nagging. Unfortunately they have to support more than just BSD, but I do agree with you that there is probably a better way of doing things. I am just not technically inclined enough to bring this to the attention of the samba team properly. I do have some contacts I could forward to anyone that is interested in trying to persuade them though. -- Marcin Dalecki To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David W. Chapman Jr. [EMAIL PROTECTED] wrote: David Last I checked adduser doesn't even let you use $ How about to set usernameregexp = '^[a-z0-9_][a-z0-9_-]*[a-z0-9_$-]$' in /etc/adduser.conf? It allows to make a 'machine account' ending with '$'. I checked this about two months ago. -- NAKAJI Hiroyuki To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
David Last I checked adduser doesn't even let you use $ How about to set usernameregexp = '^[a-z0-9_][a-z0-9_-]*[a-z0-9_$-]$' in /etc/adduser.conf? It allows to make a 'machine account' ending with '$'. I checked this about two months ago. Wouldn't pw still have to be updated. I haven't looked at adduser but I thought it was a wrapper for pw? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
In 005501c29670$d5fd8360$fe01a8c0@dwcjr David W. Chapman Jr. [EMAIL PROTECTED] wrote: David Wouldn't pw still have to be updated. I haven't looked at adduser but I David thought it was a wrapper for pw? No. My /usr/sbin/adduser, updated on Nov/23/2002 21:58 JST, does not call pw command. It adds account to /etc/master.passwd and invokes 'pwd_mkdb'. See 'sub new_users' function in /usr/sbin/adduser. -- NAKAJI Hiroyuki To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
Juli Mallett wrote: The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the variable expansion. Your foundation is flawed, we allow $ in passwd just fine, and the only problem here is whether a pw should let someone do something we support which they might need to do. Apply the patch. Then try to add a user with a trailing $ via adduser(1); Note the failure. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
The '$' is a pain. None of the examples in the original post would have worked, because the '$' was not '\$', and the shell would have blown chunks over the variable expansion. Your foundation is flawed, we allow $ in passwd just fine, and the only problem here is whether a pw should let someone do something we support which they might need to do. Apply the patch. Then try to add a user with a trailing $ via adduser(1); Note the failure. I think NAKAJI Hiroyuki pointed out that adduser has nothing to do with pw_user and if you add usernameregexp = '^[a-z0-9_][a-z0-9_-]*[a-z0-9_$-]$' to /etc/adduser.conf adduser will then allow $'s To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
Giorgos Keramidas wrote: On 2002-11-27 12:55, Terry Lambert [EMAIL PROTECTED] wrote: Will this open up a security hole for a nomal user account being used to compromise the domain system security? Probably 'yes'. I haven't tried this, but I guess one could name his machine Administrator. When that username is passed around, is it clear that it is a machine name and not a user name? I guess that if this way someone just might trick a remote SMB server that his username is 'Administrator' by changing his local machine's name, we have a problem... That's a namespace issue... they would still need a password. I think that a login class would fix it. That would mean that you could not have a user and a machine with the same name, but if you want to be technical, doing it the other way, I can't have a user named Administrator$ and a machine named Administrator, so either waym there's a namespace incursion. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
NAKAJI Hiroyuki wrote: David W. Chapman Jr. [EMAIL PROTECTED] wrote: David Wouldn't pw still have to be updated. I haven't looked at adduser but I David thought it was a wrapper for pw? No. My /usr/sbin/adduser, updated on Nov/23/2002 21:58 JST, does not call pw command. It adds account to /etc/master.passwd and invokes 'pwd_mkdb'. See 'sub new_users' function in /usr/sbin/adduser. There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. One of them pukes on the trailing $, and the other doesn't. It's confusing, unless you caught that we were talking about most recent -current. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
In [EMAIL PROTECTED] Terry Lambert [EMAIL PROTECTED] wrote: There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. I can't find any shell script 'adduser' in http://www.freebsd.org/cgi/cvsweb.cgi/ Where can I find it? One of them pukes on the trailing $, and the other doesn't. It's confusing, unless you caught that we were talking about most recent -current. I'm confused too. I cvsup-ed my /usr/src about 30 minutes ago but there is only usr.sbin/adduser/adduser.perl. $ find /usr/src -name '*adduser*' /usr/src/usr.sbin/adduser /usr/src/usr.sbin/adduser/adduser.8 /usr/src/usr.sbin/adduser/adduser.perl -- NAKAJI Hiroyuki To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba ( perl scripts!)
At 1:24 PM +0900 11/28/02, NAKAJI Hiroyuki wrote: In [EMAIL PROTECTED] Terry Lambert [EMAIL PROTECTED] wrote: There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. I can't find any shell script 'adduser' in http://www.freebsd.org/cgi/cvsweb.cgi/ Where can I find it? Hmm, I also see only the perl-script one. I could have sworn that this had been rewritten as part of moving perl out of the base system. Hrm. *That* implies the base system might still have some perl scripts lying around. On my 5.0-dp2 system, if I ignore /usr/local and /usr/ports, it looks like the following files installed by -dp2 are perl scripts: /usr/bin/mmroff /usr/bin/afmtodit /usr/sbin/adduser /usr/sbin/rmuser /usr/share/examples/cvs/contrib/clmerge /usr/share/examples/cvs/contrib/cln_hist /usr/share/examples/cvs/contrib/commit_prep /usr/share/examples/cvs/contrib/cvs_acls /usr/share/examples/cvs/contrib/log /usr/share/examples/cvs/contrib/log_accum /usr/share/examples/cvs/contrib/mfpipe /usr/share/examples/cvs/contrib/rcslock /usr/share/examples/cvs/contrib/easy-import /usr/X11R6/bin/mkhtmlindex /usr/X11R6/bin/bdftruncate.pl /usr/X11R6/bin/ucs2any.pl /usr/compat/linux/usr/bin/mtrace Perhaps some of these have been converted to something else since 5.0-dp2, and I expect we don't care about the /usr/share/examples ones anyway. (my 5.0-dp2 system is the full-distribution install of dp2, including X11, src, ports, and linux-compat, but no extra ports or pkgs installed) So, for the people who aren't getting the perl script version of adduser, where are they getting the newer script from? -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: pw_user.c change for samba
At 7:06 PM -0800 11/27/02, Terry Lambert wrote: NAKAJI Hiroyuki wrote: My /usr/sbin/adduser, updated on Nov/23/2002 21:58 JST, does not call pw command. It adds account to /etc/master.passwd and invokes 'pwd_mkdb'. See 'sub new_users' function in /usr/sbin/adduser. There are two adduser scripts. One is perl, and one was written to use pw and provide the same semantics, in a shell script, as part of the perl purge that happened recently. One of them pukes on the trailing $, and the other doesn't. It's confusing, unless you caught that we were talking about most recent -current. Well, that implies the replacement script is not as flexible as the perl script, which sounds interesting in and of itself. I was in the process of taking Terry's earlier patch and adding a few additional changes, but I was sandbagged by several hours worth of interruptions. I'm heading home now and won't be checking email tomorrow, but if no one else solves this by Friday then I'll have another look into it when I get back in. -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
