From owner-freebsd-security@FreeBSD.ORG  Thu Sep 25 09:58:51 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 37D7716A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:58:51 -0700 (PDT)
Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155])
	by mx1.FreeBSD.org (Postfix) with SMTP id 0DE5744001
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:58:49 -0700 (PDT)
	(envelope-from mdg@secureworks.net)
Received: (qmail 89236 invoked from network); 25 Sep 2003 16:56:17 -0000
Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net)
	(63.239.86.253)
	by mail.secureworks.net with SMTP; 25 Sep 2003 16:56:17 -0000
Date: Thu, 25 Sep 2003 12:58:25 -0400 (EDT)
From: Matthew George <mdg@secureworks.net>
X-X-Sender: mdg@localhost
To: Robert Watson <rwatson@freebsd.org>
In-Reply-To: <Pine.NEB.3.96L.1030925115754.50146E-100000@fledge.watson.org>
Message-ID: <20030925124655.C31322@localhost>
References: <Pine.NEB.3.96L.1030925115754.50146E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
cc: Jesse Guardiani <jesse@wingnet.net>
Subject: Re: unified authentication
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2003 16:58:51 -0000

On Thu, 25 Sep 2003, Robert Watson wrote:

> Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> access) between a set of trusted hosts, with no modifications to the
> privileged port set, should be fairly safe against unprivileged users
> logged into the machines.  The same goes for NFS. If you break any of
> these assumptions, then the security properties go out the window.

It should probably also be noted that when using NIS in a multi-platform
environment, UNSECURE="True" must be set in /var/yp/Makefile.  When using
FreeBSD machines only, the passwd maps are generated without password
fields, the master.passwd maps are generated with them, and only requests
from privileged ports (superuser requests) will be given the master.passwd
maps (hence the comment above about modifying the privileged port set).
Other operating systems' NIS implementations require the password fields
to be in the passwd maps, which are available to unprivileged users.

-- 
Matthew George
SecureWorks Technical Operations