xref: /illumos-gate/usr/src/lib/nsswitch/nis/common/getnetgrent.c (revision 36e852a1)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 *	nis/getnetgrent.c -- "nis" backend for nsswitch "netgroup" database
 *
 *	The API for netgroups differs sufficiently from that for the average
 *	getXXXbyYYY function that we use very few of the support routines in
 *	nis_common.h.
 *
 *	The implementation of setnetgrent()/getnetgrent() here follows the
 *	the 4.x code, inasmuch as the setnetgrent() routine does all the work
 *	of traversing the netgroup graph and building a (potentially large)
 *	list in memory, and getnetgrent() just steps down the list.
 *
 *	An alternative, and probably better, implementation would lazy-eval
 *	the netgroup graph in response to getnetgrent() calls (though
 *	setnetgrent() should still check for the top-level netgroup name
 *	and return NSS_SUCCESS / NSS_NOTFOUND).
 */

#include "nis_common.h"
#include <ctype.h>
#include <rpcsvc/ypclnt.h>
#include <malloc.h>
#include <string.h>
#ifdef	DEBUG
#include <sys/syslog.h>
#endif	/* DEBUG */

/*
 * The nss_backend_t for a getnetgrent() sequence;  we actually give the
 *   netgroup frontend a pointer to one of these structures in response to
 *   a (successful) setnetgrent() call on the nis_netgr_be backend
 *   described further down in this file.
 */

struct nis_getnetgr_be;
typedef nss_status_t	(*nis_getnetgr_op_t)(struct nis_getnetgr_be *, void *);

struct nis_getnetgr_be {
	nis_getnetgr_op_t	*ops;
	nss_dbop_t		n_ops;
	/*
	 * State for set/get/endnetgrent()
	 */
	char			*netgroup;
	struct grouplist	*all_members;
	struct grouplist	*next_member;
};

struct grouplist {  /* One element of the list generated by a setnetgrent() */
	char			*triple[NSS_NETGR_N];
	struct	grouplist	*gl_nxt;
};

static nss_status_t
getnetgr_set(be, a)
	struct nis_getnetgr_be	*be;
	void			*a;
{
	const char		*netgroup = (const char *) a;

	if (be->netgroup != 0 &&
	    strcmp(be->netgroup, netgroup) == 0) {
		/* We already have the member-list;  regurgitate it */
		be->next_member = be->all_members;
		return (NSS_SUCCESS);
	}
	return (NSS_NOTFOUND);
}

static nss_status_t
getnetgr_get(be, a)
	struct nis_getnetgr_be	*be;
	void			*a;
{
	struct nss_getnetgrent_args *args = (struct nss_getnetgrent_args *)a;
	struct grouplist	*mem;

	if ((mem = be->next_member) == 0) {
		args->status = NSS_NETGR_NO;
	} else {
		char			*buffer	= args->buffer;
		int			buflen	= args->buflen;
		enum nss_netgr_argn	i;

		args->status = NSS_NETGR_FOUND;

		for (i = 0;  i < NSS_NETGR_N;  i++) {
			const char	*str;
			ssize_t	len;

			if ((str = mem->triple[i]) == 0) {
				args->retp[i] = 0;
			} else if ((len = strlen(str) + 1) <= buflen) {
				args->retp[i] = buffer;
				(void) memcpy(buffer, str, len);
				buffer += len;
				buflen -= len;
			} else {
				args->status = NSS_NETGR_NOMEM;
				break;
			}
		}
		be->next_member	= mem->gl_nxt;
	}
	return (NSS_SUCCESS);	/* Yup, even for end-of-list, i.e. */
				/* do NOT advance to next backend. */
}

/*ARGSUSED*/
static nss_status_t
getnetgr_end(be, dummy)
	struct nis_getnetgr_be	*be;
	void			*dummy;
{
	struct grouplist	*gl;
	struct grouplist	*next;

	for (gl = be->all_members; gl != NULL; gl = next) {
		enum nss_netgr_argn	i;

		next = gl->gl_nxt;
		for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
			if (gl->triple[i] != 0) {
				free(gl->triple[i]);
			}
		}
		free(gl);
	}
	be->all_members = 0;
	be->next_member = 0;
	if (be->netgroup != 0) {
		free(be->netgroup);
		be->netgroup = 0;
	}
	return (NSS_SUCCESS);
}

/*ARGSUSED*/
static nss_status_t
getnetgr_destr(be, dummy)
	struct nis_getnetgr_be	*be;
	void			*dummy;
{
	if (be != 0) {
		(void) getnetgr_end(be, (void *)0);
		free(be);
	}
	return (NSS_SUCCESS);
}

static nis_getnetgr_op_t getnetgr_ops[] = {
	getnetgr_destr,
	getnetgr_end,
	getnetgr_set,
	getnetgr_get,	/* getnetgrent_r() */
};


/*
 * The nss_backend_t for innetgr() and setnetgrent().
 */

struct nis_netgr_be;
typedef nss_status_t	(*nis_netgr_op_t)(struct nis_netgr_be *, void *);

struct nis_netgr_be {
	nis_netgr_op_t		*ops;
	nss_dbop_t		n_ops;
	const char		*domain;	/* (default) YP domain */
};


/*
 * Code to do top-down search in the graph defined by the 'netgroup' YP map
 */

/*
 * ===> This code is now used for setnetgrent(), not just innetgr().
 *
 * If the easy way doesn't pan out, recursively search the 'netgroup' map.
 * In order to do this, we:
 *
 *    -	remember all the netgroup names we've seen during this search,
 *	whether or not we've expanded them yet (we want fast insertion
 *	with duplicate-detection, so use yet another chained hash table),
 *
 *    -	keep a list of all the netgroups we haven't expanded yet (we just
 *	want fast insertion and pop-first, so a linked list will do fine).
 *	If we insert at the head, we get a depth-first search;  insertion
 *	at the tail gives breadth-first (?), which seems preferable (?).
 *
 * A netgrnam struct contains pointers for both the hash-table and the list.
 * It also contains the netgroup name;  note that we embed the name at the
 * end of the structure rather than holding a pointer to yet another
 * malloc()ed region.
 *
 * A netgrtab structure contains the hash-chain heads and the head/tail
 * pointers for the expansion list.
 *
 * Most of this code is common to at least the NIS backend;  it
 * should be generalized and, presumably, moved into the frontend.
 * ==> Not any longer...
 */

struct netgrnam {
	struct netgrnam	*hash_chain;
	struct netgrnam	*expand_next;
	char		name[1];	/* Really [strlen(name) + 1] */
};

#define	HASHMOD	113

struct netgrtab {
	struct netgrnam	*expand_first;
	struct netgrnam	**expand_lastp;
	struct netgrnam	*hash_heads[HASHMOD];
};

static void
ngt_init(ngt)
	struct netgrtab	*ngt;
{
	(void) memset((void *)ngt, 0, sizeof (*ngt));
	ngt->expand_lastp = &ngt->expand_first;
}

/* === ? Change ngt_init() and ngt_destroy() to malloc/free struct netgrtab */

static void
/* ==> ? Should return 'failed' (out-of-memory) status ? */
ngt_insert(ngt, name, namelen)
	struct netgrtab	*ngt;
	const char	*name;
	size_t		namelen;
{
	unsigned	hashval;
	size_t		i;
	struct netgrnam	*cur;
	struct netgrnam	**head;

#define	dummy		((struct netgrnam *)0)

	for (hashval = 0, i = 0;  i < namelen;  i++) {
		hashval = (hashval << 2) + hashval +
			((const unsigned char *)name)[i];
	}
	head = &ngt->hash_heads[hashval % HASHMOD];
	for (cur = *head;  cur != 0;  cur = cur->hash_chain) {
		if (strncmp(cur->name, name, namelen) == 0 &&
		    cur->name[namelen] == 0) {
			return;		/* Already in table, do nothing */
		}
	}
	/* Create new netgrnam struct */
	cur = (struct netgrnam *)
		malloc(namelen + 1 + (char *)&dummy->name[0] - (char *)dummy);
	if (cur == 0) {
		return;			/* Out of memory, too bad */
	}
	(void) memcpy(cur->name, name, namelen);
	cur->name[namelen] = 0;

	/* Insert in hash table */
	cur->hash_chain = *head;
	*head = cur;

	/* Insert in expansion list (insert at end for breadth-first search */
	cur->expand_next = 0;
	*ngt->expand_lastp = cur;
	ngt->expand_lastp = &cur->expand_next;

#undef	dummy
}

static const char *
ngt_next(ngt)
	struct netgrtab	*ngt;
{
	struct netgrnam	*first;

	if ((first = ngt->expand_first) == 0) {
		return (0);
	}
	if ((ngt->expand_first = first->expand_next) == 0) {
		ngt->expand_lastp = &ngt->expand_first;
	}
	return (first->name);
}

static void
ngt_destroy(ngt)
	struct netgrtab	*ngt;
{
	struct netgrnam	*cur;
	struct netgrnam *next;
	int		i;

	for (i = 0;  i < HASHMOD;  i++) {
		for (cur = ngt->hash_heads[i];  cur != 0; /* cstyle */) {
			next = cur->hash_chain;
			free(cur);
			cur = next;
		}
	}
	/* Don't bother zeroing pointers;  must do init if we want to reuse */
}

typedef const char *ccp;

static nss_status_t
top_down(struct nis_netgr_be *be, const char **groups, int ngroups,
    int (*func)(ccp triple[3], void *iter_args, nss_status_t *return_val),
    void *iter_args)
{
	struct netgrtab		*ngt;
	/* netgrtab goes on the heap, not the stack, because it's large and */
	/* stacks may not be all that big in multi-threaded programs. */

	const char		*group;
	int			nfound;
	int			done;
	nss_status_t		result;

	if ((ngt = (struct netgrtab *)malloc(sizeof (*ngt))) == 0) {
		return (NSS_UNAVAIL);
	}
	ngt_init(ngt);

	while (ngroups > 0) {
		ngt_insert(ngt, *groups, strlen(*groups));
		groups++;
		ngroups--;
	}

	done	= 0;	/* Set to 1 to indicate that we cut the iteration  */
			/*   short (and 'result' holds the return value)   */
	nfound	= 0;	/* Number of successful netgroup yp_match calls	   */

	while (!done && (group = ngt_next(ngt)) != 0) {
		char		*val;
		int		vallen;
		char		*p;
		int		yperr;

		result = _nss_nis_ypmatch(be->domain, "netgroup", group,
		    &val, &vallen, &yperr);
		if (result != NSS_SUCCESS) {
			/*LINTED E_NOP_IF_STMT*/
			if (result == NSS_NOTFOUND) {
				;
#ifdef	DEBUG
				syslog(LOG_WARNING,
				    "NIS netgroup lookup: %s doesn't exist",
				    group);
#endif	/* DEBUG */
			} else {
#ifdef	DEBUG
				syslog(LOG_WARNING,
			"NIS netgroup lookup: yp_match returned [%s]",
				    yperr_string(yperr));
#endif	/* DEBUG */
				done = 1;	/* Give up, return result */
			}
			/* Don't need to clean up anything */
			continue;
		}

		nfound++;

		if ((p = strpbrk(val, "#\n")) != 0) {
			*p = '\0';
		}
		p = val;

		/* Parse val into triples and recursive netgroup references */
		/*CONSTCOND*/
		while (1) {
			ccp			triple[NSS_NETGR_N];
			int			syntax_err;
			enum nss_netgr_argn	i;

			while (isspace(*p)) {
				p++;
			}
			if (*p == '\0') {
				/* Finished processing this particular val */
				break;
			}
			if (*p != '(') {
				/* Doesn't look like the start of a triple, */
				/*   so assume it's a recursive netgroup.   */
				char *start = p;
				p = strpbrk(start, " \t");
				if (p == 0) {
					/* Point p at the final '\0' */
					p = start + strlen(start);
				}
				ngt_insert(ngt, start, (size_t)(p - start));
				continue;
			}

			/* Main case:  a (machine, user, domain) triple */
			p++;
			syntax_err = 0;
			for (i = NSS_NETGR_MACHINE; i < NSS_NETGR_N; i++) {
				char		*start;
				char		*limit;
				const char	*terminators = ",) \t";

				if (i == NSS_NETGR_DOMAIN) {
					/* Don't allow comma */
					terminators++;
				}
				while (isspace(*p)) {
					p++;
				}
				start = p;
				limit = strpbrk(start, terminators);
				if (limit == 0) {
					syntax_err++;
					break;
				}
				p = limit;
				while (isspace(*p)) {
					p++;
				}
				if (*p == terminators[0]) {
					/*
					 * Successfully parsed this name and
					 *   the separator after it (comma or
					 *   right paren); leave p ready for
					 *   next parse.
					 */
					p++;
					if (start == limit) {
						/* Wildcard */
						triple[i] = 0;
					} else {
						*limit = '\0';
						triple[i] = start;
					}
				} else {
					syntax_err++;
					break;
				}
			}

			if (syntax_err) {
/*
 * ===> log it;
 * ===> try skipping past next ')';  failing that, abandon the line;
 */
				break;	/* Abandon this line */
			} else if (!(*func)(triple, iter_args, &result)) {
				/* Return result, good or bad */
				done = 1;
				break;
			}
		}
		/* End of inner loop over val[] */
		free(val);
	}
	/* End of outer loop (!done && ngt_next(ngt) != 0) */

	ngt_destroy(ngt);
	free(ngt);

	if (done) {
		return (result);
	} else if (nfound > 0) {
		/* ==== ? Should only do this if all the top-level groups */
		/*	  exist in YP?					  */
		return (NSS_SUCCESS);
	} else {
		return (NSS_NOTFOUND);
	}
}


/*
 * Code for setnetgrent()
 */

/*
 * Iterator function for setnetgrent():  copy triple, add to be->all_members
 */
static int
save_triple(ccp trippp[NSS_NETGR_N], void *headp_arg,
    nss_status_t *return_val)
{
	struct grouplist	**headp = headp_arg;
	struct grouplist	*gl;
	enum nss_netgr_argn	i;

	if ((gl = (struct grouplist *)malloc(sizeof (*gl))) == 0) {
		/* Out of memory */
		*return_val = NSS_UNAVAIL;
		return (0);
	}
	for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
		if (trippp[i] == 0) {
			/* Wildcard */
			gl->triple[i] = 0;
		} else if ((gl->triple[i] = strdup(trippp[i])) == 0) {
			/* Out of memory.  Free any we've allocated */
			enum nss_netgr_argn	j;

			for (j = NSS_NETGR_MACHINE;  j < i;  j++) {
				if (gl->triple[j] != 0) {
					free(gl->triple[j]);
				}
			}
			*return_val = NSS_UNAVAIL;
			return (0);
		}
	}
	gl->gl_nxt = *headp;
	*headp = gl;
	return (1);	/* Tell top_down() to keep iterating */
}

static nss_status_t
netgr_set(be, a)
	struct nis_netgr_be	*be;
	void			*a;
{
	struct nss_setnetgrent_args *args = (struct nss_setnetgrent_args *)a;
	struct nis_getnetgr_be	*get_be;
	nss_status_t		res;

	get_be = (struct nis_getnetgr_be *)malloc(sizeof (*get_be));
	if (get_be == 0) {
		return (NSS_UNAVAIL);
	}

	get_be->all_members = 0;
	res = top_down(be, &args->netgroup, 1, save_triple,
		&get_be->all_members);

	if (res == NSS_SUCCESS) {
		get_be->ops		= getnetgr_ops;
		get_be->n_ops		= sizeof (getnetgr_ops) /
						sizeof (getnetgr_ops[0]);
		get_be->netgroup	= strdup(args->netgroup);
		get_be->next_member	= get_be->all_members;

		args->iterator		= (nss_backend_t *)get_be;
	} else {
		args->iterator		= 0;
		free(get_be);
	}
	return (res);
}


/*
 * Code for innetgr()
 */

/*
 * Iterator function for innetgr():  Check whether triple matches args
 */
static int
match_triple(ccp triple[NSS_NETGR_N], void *ia_arg, nss_status_t *return_val)
{
	struct nss_innetgr_args	*ia = ia_arg;
	enum nss_netgr_argn	i;

	for (i = NSS_NETGR_MACHINE;  i < NSS_NETGR_N;  i++) {
		int		(*cmpf)(const char *, const char *);
		char		**argv;
		int		n;
		const char	*name = triple[i];
		int		argc = ia->arg[i].argc;

		if (argc == 0 || name == 0) {
			/* Wildcarded on one side or t'other */
			continue;
		}
		argv = ia->arg[i].argv;
		cmpf = (i == NSS_NETGR_MACHINE) ? strcasecmp : strcmp;
		for (n = 0;  n < argc;  n++) {
			if ((*cmpf)(argv[n], name) == 0) {
				break;
			}
		}
		if (n >= argc) {
			/* Match failed, tell top_down() to keep looking */
			return (1);
		}
	}
	/* Matched on all three, so quit looking and declare victory */

	ia->status = NSS_NETGR_FOUND;
	*return_val = NSS_SUCCESS;
	return (0);
}

/*
 * inlist() -- return 1 if at least one item from the "what" list
 *   is in the comma-separated, newline-terminated "list"
 */
static const char comma = ',';	/* Don't let 'cfix' near this */

static int
inlist(nwhat, pwhat, list)
	nss_innetgr_argc	nwhat;
	nss_innetgr_argv	pwhat;
	char			*list;
{
	char			*p;
	nss_innetgr_argc	nw;
	nss_innetgr_argv	pw;

	while (*list != 0) {
		while (*list == comma || isspace(*list))
			list++;
		for (p = list;  *p != 0 && *p != comma &&
		    !isspace(*p); /* nothing */)
			p++;
		if (p != list) {
			if (*p != 0)
				*p++ = 0;
			for (pw = pwhat, nw = nwhat;  nw != 0;  pw++, nw--) {
				if (strcmp(list, *pw) == 0)
					return (1);
			}
			list = p;
		}
	}
	return (0);
}

/*
 * Generate a key for a netgroup.byXXXX NIS map
 */
static void
makekey(key, name, domain)
	char		*key;
	const char	*name;
	const char	*domain;
{
	while (*key++ = *name++)
		;
	*(key-1) = '.';
	while (*key++ = *domain++)
		;
}

static int
makekey_lc(key, name, domain)
	char		*key;
	const char	*name;		/* Convert this to lowercase */
	const char	*domain;	/* But not this */
{
	int		found_uc = 0;
	char		c;

	while (c = *name++) {
		if (isupper(c)) {
			++found_uc;
			c = tolower(c);
		}
		*key++ = c;
	}
	*key++ = '.';
	while (*key++ = *domain++)
		;
	return (found_uc);
}

/*
 * easy_way() --  try to use netgroup.byuser and netgroup.byhost maps to
 *		  get answers more efficiently than by recursive search.
 *
 * If more than one name (username or hostname) is specified, this approach
 * becomes less attractive;  at some point it's probably cheaper to do the
 * recursive search.  We don't know what the threshold is (among other things
 * it may depend on the site-specific struucture of netgroup information),
 * so here's a guesstimate.
 */

#define	NNAME_THRESHOLD	5

static int
easy_way(be, ia, argp, map, try_lc, statusp)
	struct nis_netgr_be	*be;
	struct nss_innetgr_args	*ia;
	struct nss_innetgr_1arg	*argp;
	const char		*map;
	int			try_lc;
	nss_status_t		*statusp;
{
	nss_innetgr_argc	nname = argp->argc;
	nss_innetgr_argv	pname = argp->argv;
	const char		*domain = ia->arg[NSS_NETGR_DOMAIN].argv[0];
	const char		*wild = "*";
	int			yperr;
	char			*val;
	int			vallen;
	char			*key;
	int			i;

	/* Our caller guaranteed that nname >= 1 */
	while (nname > 1) {
		struct nss_innetgr_1arg	just_one;

		if (nname > NNAME_THRESHOLD) {
			return (0);	/* May be cheaper to use 'netgroup' */
		}

		just_one.argc = 1;
		just_one.argv = pname;

		if (easy_way(be, ia, &just_one, map, try_lc, statusp) &&
		    ia->status == NSS_NETGR_FOUND) {
			return (1);
		}
		++pname;
		--nname;
		/* Fall through and do the last one inline */
	}

	if ((key = malloc(strlen(*pname) + strlen(domain) + 2)) == 0) {
		return (0);	/* Or maybe (1) and NSS_UNAVAIL */
	}

	for (i = 0;  i < (try_lc ? 6 : 4);  i++) {
		switch (i) {
		    case 0:
			makekey(key, *pname, domain);
			break;
		    case 1:
			makekey(key, wild, domain);
			break;
		    case 2:
			makekey(key, *pname, wild);
			break;
		    case 3:
			makekey(key, wild, wild);
			break;
		    case 4:
			if (!makekey_lc(key, *pname, domain)) {
				try_lc = 0;	/* Sleazy but effective */
				continue;	/*   i.e. quit looping  */
			}
			break;
		    case 5:
			(void) makekey_lc(key, *pname, wild);
			break;
		}
		*statusp = _nss_nis_ypmatch(be->domain, map, key,
					&val, &vallen, &yperr);
		if (*statusp == NSS_SUCCESS) {
			if (inlist(ia->groups.argc, ia->groups.argv, val)) {
				free(val);
				free(key);
				ia->status = NSS_NETGR_FOUND;
				return (1);
			} else {
				free(val);
			}
		} else {
#ifdef DEBUG
			syslog(LOG_WARNING,
				"innetgr: yp_match(%s,%s) failed: %s",
				map, key, yperr_string(yperr));
#endif	/* DEBUG */
			if (yperr != YPERR_KEY)  {
				free(key);
				return (0);
			}
		}
	}

	free(key);

/* =====> is this (an authoritative "no") always the right thing to do?	*/
/*	  Answer:  yes, except for hostnames that aren't all lowercase	*/

	*statusp = NSS_NOTFOUND;	/* Yup, three different flavours of */
	ia->status = NSS_NETGR_NO;	/*   status information, so-called. */
	return (1);			/*   Silly, innit?		    */
}


static nss_status_t
netgr_in(be, a)
	struct nis_netgr_be	*be;
	void			*a;
{
	struct nss_innetgr_args	*ia = (struct nss_innetgr_args *)a;
	nss_status_t		res;

	ia->status = NSS_NETGR_NO;

	/* Can we use netgroup.byhost or netgroup.byuser to speed things up? */

/* ====> diddle this to try fast path for domains.argc == 0 too */
	if (ia->arg[NSS_NETGR_DOMAIN].argc == 1) {
		if (ia->arg[NSS_NETGR_MACHINE].argc == 0 &&
		    ia->arg[NSS_NETGR_USER   ].argc != 0) {
			if (easy_way(be, ia, &ia->arg[NSS_NETGR_USER],
			    "netgroup.byuser", 0, &res)) {
				return (res);
			}
		} else if (ia->arg[NSS_NETGR_USER].argc == 0 &&
		    ia->arg[NSS_NETGR_MACHINE].argc != 0) {
			if (easy_way(be, ia, &ia->arg[NSS_NETGR_MACHINE],
			    "netgroup.byhost", 1, &res)) {
				return (res);
			}
		}
	}

	/* Nope, try the slow way */
	ia->status = NSS_NETGR_NO;
	res = top_down(be, (const char **)ia->groups.argv, ia->groups.argc,
	    match_triple, ia);
	return (res);
}


/*
 * (Almost) boilerplate for a switch backend
 */

/*ARGSUSED*/
static nss_status_t
netgr_destr(be, dummy)
	struct nis_netgr_be	*be;
	void			*dummy;
{
	if (be != 0) {
		free(be);
	}
	return (NSS_SUCCESS);
}

static nis_netgr_op_t netgroup_ops[] = {
	netgr_destr,
	0,		/* No endent, because no setent/getent */
	0,		/* No setent;  setnetgrent() is really a getXbyY() */
	0,		/* No getent in the normal sense */

	netgr_in,	/* innetgr() */
	netgr_set,	/* setnetgrent() */
};

/*ARGSUSED*/
nss_backend_t *
_nss_nis_netgroup_constr(dummy1, dummy2, dummy3)
	const char	*dummy1, *dummy2, *dummy3;
{
	const char		*domain;
	struct nis_netgr_be	*be;

	if ((domain = _nss_nis_domain()) == 0 ||
	    (be = (struct nis_netgr_be *)malloc(sizeof (*be))) == 0) {
		return (0);
	}
	be->ops		= netgroup_ops;
	be->n_ops	= sizeof (netgroup_ops) / sizeof (netgroup_ops[0]);
	be->domain	= domain;

	return ((nss_backend_t *)be);
}