I need to support netgroup checks in a service, written in C. I’m asking the SSSD list
because we’re using SSSD, which means that net group operations are routed to the SSSD
provider.
I found that innetgr doesn’t work if there are nested net groups. The man page doesn’t
suggest that this would happen, though various online discussions seem to suggest it. As
far as I can tell, using the usual libc routines, I’d have to do a recursive enumeration
of the netgroup. This seems pretty silly, since the host's memberOf attribute shows
what net groups it’s a member of, whether direct or indirect. You could also enumerate
using the compat tree, which lets a single LDAP query get all members of the netgroup.
For the moment I’m doing LDAP operations. My application already needs to do
GSSAPI-authenticated LDAP operations, so I have an LDAP connection already. A netgroup
check require two queries, which could reasonably be cached. Lookup the netgroup by name
to find the unique ID. Look up the host and see if the unique ID matches any memberOf
attributes.
But not all applications would be set up so this is easy. Is there a reasonable way to
check netgroup membership using normal libc calls?