Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Feb 1997 16:06:53 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        branson.matheson@ferginc.com
Cc:        W.Belgers@nl.cis.philips.com, freebsd-hackers@FreeBSD.org
Subject:   Re: NIS/uids
Message-ID:  <199702042306.QAA13339@phaeton.artisoft.com>
In-Reply-To: <Pine.BSF.3.91.970204090156.19773L-100000@toth.hq.ferg.com> from "Branson Matheson" at Feb 4, 97 09:42:54 am

next in thread | previous in thread | raw e-mail | index | archive | help
> > The problem now is that the security on my system has become dependant
> > on that of the NIS server. If I am root on the NIS server I can change
> > the uid of "user" into any user including root and make use of it on my
> > system. Even if you can only become root using su you can easily first
> > become a user in wheel and then root.
> 
>  That is a fact.  because you are using that information from an NIS
>  server, you will _always_ have a security risk from that server. 
>  Anyone that has root on that server can modify a yp'd entry on that
>  server, change the uid to 0 and become root on your system very
>  easily. So by definition, you _have_ to trust your yp servers. 

Yes.  You have established a trust relationship within a "secure zone",
and you have *defined* the NIS client and server to both be inside this
zone.

However...

It makes sense to me that "sensitive" user and group ID's perhaps
should not be honored when they come in via NFS... ie: user root
or bin, etc., or group bin or kmem.

The problem is that there is no tag you can specify to indicate
to NFS which user or group ID's are "sensitive", and which are not.

This would provide NIS honoring protection similar to NFS not
honoring "root" from a "semi-trusted" host.


					Regards,
					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702042306.QAA13339>