Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Nov 2002 00:20:37 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        "David W. Chapman Jr." <dwcjr@inethouston.net>, current@FreeBSD.ORG
Subject:   Re: pw_user.c change for samba
Message-ID:  <20021127222037.GA13085@gothmog.gr>
In-Reply-To: <3DE5315A.FC6D59B@mindspring.com>
References:  <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> <3DE5315A.FC6D59B@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-11-27 12:55, Terry Lambert <tlambert2@mindspring.com> wrote:
> It seems to me that another alternative is that all these
> names end in '$'; therefore, when you are expecting one of
> these names, you could imply a '$', without needing to actually
> have it in the password file -- in other words, it's an
> attribute, not really part of the account name.
>
> Will this open up a security hole for a nomal user account
> being used to compromise the domain system security?

Probably 'yes'.  I haven't tried this, but I guess one could name his
machine "Administrator".  When that username is passed around, is it
clear that it is a machine name and not a user name?  I guess that if
this way someone just might trick a remote SMB server that his
username is 'Administrator' by changing his local machine's name, we
have a problem...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021127222037.GA13085>