Date: Sun, 15 Jun 2003 15:58:14 +0200 (CEST) From: Martin Blapp <mb@imp.ch> To: Mark Murray <mark@grondar.org> Cc: current@freebsd.org Subject: Re: HEADS UP: rpc.yppasswdd working again Message-ID: <20030615155659.U60004@cvs.imp.ch> In-Reply-To: <200306151329.h5FDThHh077681@grimreaper.grondar.org> References: <200306151329.h5FDThHh077681@grimreaper.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
hi,
> > All users who had problems with NIS should rebuild their
> > world. Long outstanding problems have been fixed and
> > rpc.yppasswdd allows root again to change passwords
> > on ypmaster without knowledge of the users password.
^^^^^^^^
> Does this not create a vulnerability?
>
> Example: Bad Guy sets up a personal workstation with himself as root
> and steals an IP address from the machine he just switched off. Now
> he can change passwords on the server at will.
It is only possible on the ypmaster server. And if you are root
you can edit the password files directly, can't you :-) ?
Martin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030615155659.U60004>