jbvb@ftp.COM (James Van Bokkelen) (04/21/89)
In article <462@sequoia.UUCP>, teb@sequoia.UUCP (Thomas E. Bernhard) writes: > How can I set my group id different from what the passwd file returns? > The 'net name' command returns me with a group id but I belong to other > groups (in yp database group). How can I set my group id for access to > these other groups? The fact that PCNFSD returns the UID/GID you wind up using is central to the current "security" mechanism of NFS on DOS. If you could set it yourself, there would have to be some way of limiting the values you could set. One could enhance the authentication protocol implementation, so that a list of valid UID/GIDs was returned, but that is a back-door route to a "heuristic piratical NFS", which figures out which UID/GID can perform the requested operation and switches to them on the fly... The real solution is to change both the clients and servers so that something substantial is passed in the "authentication" field. I think that Sun plans this in the next version of RPC. -- James B. VanBokkelen 26 Princess St., Wakefield, MA 01880 FTP Software Inc. voice: (617) 246-0900 fax: (617) 246-0901
mike@relgyro.stanford.edu (Mike Macgirvin) (04/21/89)
In article <642@ftp.COM> jbvb@ftp.COM (James Van Bokkelen) writes: >In article <462@sequoia.UUCP>, teb@sequoia.UUCP (Thomas E. Bernhard) writes: >> How can I set my group id different from what the passwd file returns? >The real solution is to change both the clients and servers so that >something substantial is passed in the "authentication" field. I think >that Sun plans this in the next version of RPC. > I accomplished this task by hacking up the 'r_pcnfsd.c' that came with PC-NFS. Unfortunately, I can't seem to locate it right now, but the skinny on it is: The authentication procedure was altered to accept a username followed by a backslash followed by a group, and then to look up the name (after password checking) in the group database, and return ok if the person had access for that group. On the PC side, it worked like this: NET NAME name\30 mypassword which would log 'name' in with the GID set to 30. The hack included checking for name and group by either number or text, because it turns out that PC-NFS only sends 8 characters for a username. So the following syntaxes would all be correct for name == "mike" == UID 20 : NET NAME MIKE * #login with default group NET NAME 20\20 * #login with group 20 NET NAME MIKE\BIN * #login with group bin NET NAME MIKE\20 * #login with group 20 NET NAME 20\STAFF * #login with group staff NET NAME MIKE\STAFF * #won't work, more than 8 chars All of this is easily accomplished with a little knowledge of the system uid and gid functions. This solved our immediate problem, and didn't require any changes to the PC software, only the authentication daemon, (for which source is supplied). I have been told by very reliable sources that support for multiple groups will be built in to the next version of PC-NFS, so I would avoid doing this, if it can wait another month or two... ------------------------------------------------------------------------ m m k Mike Macgirvin m m m m o k k eee Stanford Relativity Gyro Experiment m m m k k e e Stanford University m m i kk eeeee (415) 725-4117 m m i k k e ARPA: mike@relgyro.stanford.edu (36.64.0.50) m m i k k eeee UUCP: /dev/null This room has been punched out. Now where are all the gazingas?
guy@auspex.auspex.com (Guy Harris) (04/23/89)
>The real solution is to change both the clients and servers so that >something substantial is passed in the "authentication" field. I think >that Sun plans this in the next version of RPC. "Next version"? The version that came out with SunOS 4.0, and the NFSSRC 4.0 ONC/NFS distribution, already includes this, if you're referring to "DES authentication". I don't know if it's in the 3.9 version of RPC posted to "comp.sources.unix". More correctly, I don't know whether *most* of it is there; assorted bureaucrats in the US government have decided that encryption mechanisms are "munitions", and therefore the encryption code used in DES authentication requires all sorts of obnoxious export licenses, at least in source form. As such, I doubt the 3.9 version has the encryption code, and I suspect 4.0 source and the NFSSRC 4.0 distribution has "domestic" and "international" versions, with the latter not including the DES code.
sxn%ingersoll@Sun.COM (Stephen X. Nahm) (04/24/89)
In article <1489@auspex.auspex.com> guy@auspex.auspex.com (Guy Harris) writes: >"Next version"? The version that came out with SunOS 4.0, and the >NFSSRC 4.0 ONC/NFS distribution, already includes this, if you're >referring to "DES authentication". I don't know if it's in the 3.9 >version of RPC posted to "comp.sources.unix". RPCSRC 3.9 was based on SunOS 4.0 Beta code; the DES stuff was removed since it hadn't been completely tested yet. RPCSRC 4.0 does have Secure RPC included with it; however the DES encryption routine was removed due to export restrictions. Incidentally, I sent RPCSRC 4.0 to sun-spots for inclusion in its archives, but this hasn't happened yet. But you can find it sitting in the "incoming" directory on titan.rice.edu if you have FTP access. In that directory you'll find: rpc_40.01 thru rpc_40.17 RPCSRC, less Secure RPC rpc_39-40.01 thru rpc_39-40.03 "patch" files to upgrade RPCSRC 3.9 to RPCSRC 4.0, less Secure RPC secure_rpc.01 thru secure_rpc.04 Secure RPC, less DES code Steve Nahm sxn@sun.COM or sun!sxn
geoff@hinode.east.sun.com (Geoff Arnold @ Sun ECD - R.H. coast near the top) (04/26/89)
In article <462@sequoia.UUCP> teb@sequoia.UUCP () writes: >How can I set my group id different from what the passwd file returns? >The 'net name' command returns me with a group id but I belong to other >groups (in yp database group). How can I set my group id for access to >these other groups? In the next release of PC-NFS the "net name XXX" command will consult the "group" YP map for additional group membership. Stay tuned for the formal announcement on comp.newprod. Geoff Geoff Arnold, Internet: garnold@sun.com Manager, PC-NFS Engineering UUCP: ....!sun!garnold PCDS Group, Sun Microsystems Inc. "A disclaimer? Sure, at that price you can have half a dozen of 'em."