From owner-freebsd-hackers  Wed May 15 07:19:35 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id HAA20841
          for hackers-outgoing; Wed, 15 May 1996 07:19:35 -0700 (PDT)
Received: from mail.rwth-aachen.de (mail.RWTH-Aachen.DE [137.226.144.9])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA20832
          for <freebsd-hackers@freefall.freebsd.org>; Wed, 15 May 1996 07:19:27 -0700 (PDT)
Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de)
 by mail.rwth-aachen.de (PMDF V5.0-4 #13110)
 id <01I4QNH5SE8G000X2I@mail.rwth-aachen.de>; Wed, 15 May 1996 15:45:23 +0100
Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de
 (8.6.11/8.6.9) id PAA29027; Wed, 15 May 1996 15:44:45 +0200
Date: Wed, 15 May 1996 15:44:44 +0200 (MET DST)
From: "Christoph P. Kukulies" <kuku@gilberto.physik.rwth-aachen.de>
Subject: Re: yppasswdd permissions/ownership
In-reply-to: <199605151326.IAA23557@plains.nodak.edu>
To: tinguely@plains.nodak.edu (Mark Tinguely)
Cc: freebsd-hackers@freefall.freebsd.org, kuku@gilberto.physik.rwth-aachen.de
Reply-to: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Message-id: <199605151344.PAA29027@gilberto.physik.rwth-aachen.de>
MIME-version: 1.0
X-Mailer: ELM [version 2.4ME+ PL16 (25)]
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> >  We want to allow our NIS users on the clients to set their yp passwords.
> >  Since /etc/master.passwd is rw------- root wheel and yppasswdd runs
> >  as bin bin it seems to me impossible to change the master password database.
> >  
> >  Shouldn't yppasswdd better be run as 4755 root bin ? Or is this
> >  a potential security hole?
> 
> yppasswdd is a daemon that runs as root. ypasswdd is started from /etc/rc

Yes, of course it runs as root - I must have had a blackout :-)

>  because your /etc/sysconfig has the line:
> 
> yppasswddflags="-m /etc/master.passwd -s -f"

We are running yppasswd with these flags. I just gave it a test.
I could do a passwd on the client. After that I could not login
into the client. I could well login into the server with the
new password. Might it be some problem with DES/MD5 encryption?
I build world with NOCRYPT. All binaries are from -current.

> 
> --mark.
> 

--Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de