Date: Tue, 4 Feb 1997 09:42:54 -0500 (EST) From: Branson Matheson <branson@ferginc.com> To: Walter Belgers <W.Belgers@nl.cis.philips.com> Cc: freebsd-hackers@FreeBSD.org Subject: Re: NIS/uids Message-ID: <Pine.BSF.3.91.970204090156.19773L-100000@toth.hq.ferg.com> In-Reply-To: <199702041010.LAA27440@giga.lss.cp.philips.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Feb 1997, Walter Belgers wrote: > Hi, > > I hope this is the right place to tell my story. > > I run FreeBSD 2.1.5. On my system are a bunch of local users but I also > have users from the NIS database on another system (an HP). In my > password file the users are defined as follows: > > +user::::::::/home/john:/usr/local/bin/tcsh > > So I override the homedir and shell. > > The problem now is that the security on my system has become dependant > on that of the NIS server. If I am root on the NIS server I can change > the uid of "user" into any user including root and make use of it on my > system. Even if you can only become root using su you can easily first > become a user in wheel and then root. That is a fact. because you are using that information from an NIS server, you will _always_ have a security risk from that server. Anyone that has root on that server can modify a yp'd entry on that server, change the uid to 0 and become root on your system very easily. So by definition, you _have_ to trust your yp servers. > > The obvious solution is to override the uid in the password file: > +user::1234:1234:::::/home/john:/usr/local/bin/tcsh You can do that .. but at this point the only win you have over seperate entries in the PW file is a single global password. > But now I have another problem... the userid is not mapped to the > username any more. > > The fact that "user" now is only known as uid 1234 and not as user > "user" gives rise to a lot of problems. > > Is this a bug or am I overlooking something? I was able to reproduce this.. it is probably a bug in the login sequence. I looked at login it self.. but could not find anything obvious... can somone more experienced look at this? -branson ============================================================================= Branson Matheson | Ferguson Enterprises | If you're falling off a System Administrator | W: (804) 874-7795 | mountian, you might as well Unix, Perl, WWW | branson@ferginc.com | attempt to fly. -Delenn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970204090156.19773L-100000>