| OSF DCE SIG | J. Comuzzi (DEC) | |
| Request For Comments: 55.0 | February 1994 |
The DCE 1.0 security facility permits UNIX hosts to override account information from the security registry on a per host basis. This RFC provides a proposal to extend this facility in DCE 1.1 to support overriding group information and adding a mechanism to lookup account and group information using the overridden UID or GID as a key.
DCE 1.0 security includes a password override facility, which uses the
password override file. This file, which exists in
/opt/dcelocal/etc/passwd_override, has a
syntax similar to the syntax of the /etc/passwd file which
exists on most UNIX systems.
/opt/dcelocal/etc/passwd_override permits
using the DCE registry (secd) as the repository for local
account information, but allows specific information to be overridden on
the local system (a customizibility feature). This is
particularly useful because without it all UNIX hosts would have to
share the same conventions on pre-existing system accounts (i.e.,
pre-DCE, low UID), which would be inconvenient since there are many
different, incompatible, conventions for the names and UID's of such
pre-existing accounts.
No analogous mechanism currently exists to reconcile differences between the pre-existing groups in the registry and pre-existing groups that might be present on a given UNIX system. Further, no mechanism exists to access registry information starting with the overridden UID or GID as a key.
This proposal adds a file,
/opt/dcelocal/etc/group_override, and adds
a new API routine, sec_rgy_pgo_get_by_effective_unix_num().
This routine is the analogue of sec_rgy_pgo_get_by_unix_num().
It returns account or group information that use UID's and GID's that
are subject to override information in
/opt/dcelocal/etc/passwd_override and
/opt/dcelocal/etc/group_override files. The
latter file would permit the specification of the name to GID
association specific to this system.
The sec_rgy_pgo_get_by_unix_num() API routine is implemented
as an RPC to the security registry, secd. However the routine
sec_rgy_pgo_get_by_effective_unix_num() would be implemented as
a local routine, which calls a new override interface, followed by an
RPC to the registry server. The new override routine would be part of
the local machine's sec_clientd, where a database of account
override information is already maintained in memory. An additional
database maintained as a linked list of struct
override_group_buffer's would be added.
All processing of the passwd_override information is localized
in the file src/security/sec_clientd/roverride.c. The data
structure maintained and accessed therein (the list of struct
override_buffer's) would be augmented by an additional list of
struct override_group_buffer's and struct
override_group_member's. See Appendix A for details.
The private routine check_update_group_overrides() would be
added to reinitialize the override_group_buffer lists if the
group_override file changed. This is exactly analogous to
check_update_overrides() maintenance of the override_buffer's
list. Similarly, a new routine parse_group_override_buffer()
would be added to parse the syntax of the group_override file
-- see Appendix B for details on this syntax.
Four new routines (roverride_get_by_unix_num(),
roverride_get_group_info(),
roverride_check_group_passwd() and
roverride_is_group_passwd_overridden()) would be added. These
routines would be added as additional routines to the IDL file
roverride.idl. Since they are being added at the end, only
the interface minor version number need be incremented. Indeed, since
this IDL interface is only used to communicate among the DCE
library, dce_login and passwd_export and
sec_clientd on one machine, all of which would be
replaced in any upgrade to DCE 1.1, it would not matter if the interface
major version number was changed. [Note that there is no conceivable
reason for calling this interface remotely, since the outputs from the
existing three routines are only interpretable on the local host.
However, if changing the interface version is perceived as a problem,
the three routines could be exported via a new IDL interface (say
rgroupoverride.idl) at the cost of one additional entry in the
end-point mapper. Again, see Appendix A for details on the API of these
routines.]
The routine roverride_get_by_unix_num(), would implement a
case on the name_domain. For the domain
sec_rgy_domain_person, the override_buffer list
would be searched for an entry with matching UID. If one is found, the
function returns true, with the name of the corresponding account;
otherwise it returns false. For the domain
sec_rgy_domain_group, the override_group_buffer list
would be searched for an entry with matching GID. If one is found, the
function returns true, with the name of the corresponding group;
otherwise it returns false. For the domain
sec_rgy_domain_org, the fuction returns false. In both the
searches, only entries with keyfield's of name (i.e, either principal
name or group name) are examined. If the name field is not present in
an override entry, then the correct information can be obtained from the
registry.
The routines roverride_get_group_info(),
roverride_check_group_passwd() and
roverride_is_group_passwd_overridden() would be almost
identical to the existing corresponding routines, except that the
override_group_buffer list would be searched.
Finally, in addition to the changes required in
src/security/server/sec_cliend/roverride.c, the above entry
points would have to be added in
src/security/client/rca/override.c and override.acf.
These entry points are a simple pass-thru's of the arguments.
Implementation of this libdce routine would parallel
sec_rgy_login_get_effective(). It would consist of a call to
roverride_get_by_unix_num() to obtain the name of the account
or group if it is overridden. If roverride_get_by_unix_num()
indicates this UID or GID has been overridden, the returned name is used
in a call to sec_rgy_pgo_get_by_name(). If it has not been
overridden, sec_rgy_pgo_get_by_unix_num() is called. The
signature of sec_rgy_pgo_get_by_effective_unix_num() is
identical to sec_rgy_pgo_get_by_unix_num(), and is listed in
Appendix A.
passwd_export currently supports using information in
/opt/dcelocal/etc/passwd_override in its generation of
/etc/passwd. It will need a several line modification to
access roverride_get_group_info(), so that information in
/opt/dcelocal/etc/group_override will override the
registry in its generation of /etc/group.
There are three documentation tasks associated with this proposal.
First, the new public API routine
sec_rgy_pgo_get_by_effective_unix_num() would need to be
documented. This would be done by cloning the
sec_rgy_pgo_get_by_unix_num() documentation and making minor
changes. Second, the format of the group_override file would
need to be documented. This has been included in Appendix B. Third,
the man page for passwd_export would need to be updated to
reflect the fact that unless the -n switch is present, both
the passwd_override and group_override files will
effect the created files.
Note that the four new roverride routines would be given the
same documentation treatment as the existing routines in
roverride.idl; currently, those are not documented in the DCE,
but they may be documented in the future.
Noticeably absent in the above proposal is any additional implementation to support organizations. This is because organizations are not a UNIX concept, and are not required to achieve a clean integration with UNIX.
There are several possible other API routines that could be added.
These include sec_rgy_pgo_effective_unix_num_to_id() and
sec_rgy_pgo_effective_unix_num_to_name(). It is not proposed
to add these additional API routines, since their functionality can be
obtained with sec_rgy_pgo_get_by_effective_unix_num().
typedef unsigned32 sec_group_override_fields_t;
const sec_group_override_fields_t sec_group_override_none
= 0x0;
const sec_group_override_fields_t sec_group_override_gr_gid
= 0x1;
const sec_group_override_fields_t sec_group_override_gr_passwd
= 0x2;
const sec_group_override_fields_t sec_group_override_member
= 0x4;
typedef struct override_group_member {
sec_rgy_name_t member;
struct override_group_member *next;
} override_group_member_t;
typedef struct override_group_buffer {
sec_rgy_name_t gr_name;
sec_rgy_unix_passwd_buf_t gr_passwd;
signed32 gr_gid;
struct override_group_member *members;
sec_group_override_fields_t overridden;
sec_override_key_t key_fields;
struct override_group_buffer *next;
} override_group_buffer_t;
boolean32
roverride_get_by_unix_num (
[in] handle_t h,
[in] sec_rgy_domain_t name_domain,
[in] signed32 unix_id,
[out, string] char *name,
[out] error_status_t *status );
void
roverride_get_group_info (
[in] handle_t h,
[in, string] char *gr_name,
[in, out] signed32 *gr_gid,
[out] sec_rgy_unix_passwd_buf_t gr_passwd,
[in] signed32 max_members,
[in, out] sec_rgy_cursor_t *member_cursor,
[out, v1_array, length_is(*number_supplied),
size_is(max_members)]
sec_rgy_member_t member_list[],
[out] signed32 number_supplied,
[out] signed32 number_members,
[out] sec_group_override_fields_t *overridden,
[out] error_status_t *status );
boolean32
roverride_check_group_passwd (
[in] handle_t h,
[in, string] char *gr_name,
[in] signed32 *gr_gid,
[in] sec_rgy_unix_passwd_buf_t gr_passwd,
[out] error_status_t *status );
boolean32
roverride_is_group_passwd_overridden (
[in] handle_t h,
[in, string] char *gr_name,
[out] signed32 *gr_gid,
[out] sec_rgy_unix_passwd_buf_t gr_salt,
[out] error_status_t *status );
[idempotent] void
sec_rgy_pgo_get_by_effective_unix_num (
[in] sec_rgy_handle_t context,
[in] sec_rgy_domain_t name_domain,
[in] sec_rgy_name_t scope,
[in] signed32 unix_id,
[in] boolean32 allow_aliases,
[in, out] sec_rgy_cursor_t *item_cursor,
[out] sec_rgy_pgo_item_t *pgo_item,
[out] sec_rgy_name_t name,
[out] boolean32 overriden,
[out] error_status_t *status );
The information in this section is intended as the man page for the
group_override file.
Purpose:
The registry database group override file.
Synopsis:
/opt/dcelocal/etc/group_override
Description:
The/opt/dcelocal/etc/group_overrideadministrative file lets you override the UNIX group ID for a group similar to manner in which thepasswd_overridefile permits overriding information in the network registry database.The
group_overridefile is stored on each machine. Any changes you make to it are in effect for the local machine only, and have no effect on the centralized registry. You may findgroup_overrideespecially useful overriding the default group definitions supplied with the registry if they do not match your local UNIX system.
The group_override File Format:
The format of thegroup_overrideentries is similar to entries in the UNIXgroupfile. The format is:
group_name:\ passwd:\ group_uid:\ membersIn the override entry,
group_nameandgroup_uidare keyfields. You must enter one to identify the group to which the override applies. The keyfield is used to perform a lookup in the override file. The lookup is performed in order as the entries are specified in an override entry: first by group name, then by group UNIX ID. If you specify more than one keyfield in an override entry, the first keyfield specified is used as the lookup key; subsequent keyfields are used as overrides.
Field Descriptions:
group_name
A keyfield that contains the name that identifies the group to which the override applies.
passwd
This field specifies the encrypted password. If you specify an override in this field, the password you enter is in effect for this local machine only.You can also specify
OMITin the passwd field to disallownewgrp's to this group on the local machine. The use ofOMITin conjunction with an option to thepasswd_exportcommand also prevents the inclusion of this group in the group file created bypasswd_export. (See the section entitled UsingOMIT, later in this command reference, for details.)
group_uid
A UNIX group ID. This filed can function as a keyfield, when no other keyfields are entered, or as a field containing an override, when entered in conjunction with group name. This field specifies the local override of the group ID supplied by the network registry server.
members
This field specifies a comma-separated list of members of the group. The contents of this field will override information in the registry whenpasswd_exportcreates an/etc/groupfile. Note that to specify a null membership, as opposed to indicating no override is required, use an asterisk (*) for this field.
Leaving Fields Blank:
If you do not want to override an item, leave its field blank, separating each blank field with a colon (:). Note that to override a group with a null membership list, enter an asterisk (*) for themembersfield.
Using OMIT:
If you enter either the wordOMITor another invalid password string (such as an asterisk orNO GOOD) in thepasswdfield, users will not be able to issue anewgrpto this group on the local machine. If you specifyOMITand runpasswd_exportwith the-xoption, the named group will not appear in the/etc/groupfile produced bypasswd_export.You should also be aware that, if you have omitted groups from the
/etc/groupfile, information about those groups will not be available to any programs that use the group file. For example, thels -lgcommand accesses the group file to obtain further information about a group. If the group is omitted, no group entry will exist and no information will be available. For this reason you should useOMITto omit groups from the/etc/groupfile only if your user community is very large and either of the following conditions occur:
- The group file is taking up too much space.
- Group-ID-to-name mapping is too slow (during
ls -lg, for example).
Examples:
kmem::3:
system:*::root
| Joe Comuzzi | Internet email: Comuzzi@tuxedo.enet.dec.com | |
| Digital Equipment Corporation | Telephone: +1-508-486-7695 | |
| 550 King Street, LKG2-2/Z7 | ||
| Littleton, MA 01460 | ||
| USA |