From owner-freebsd-hackers Wed Feb 5 02:01:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA04338 for hackers-outgoing; Wed, 5 Feb 1997 02:01:27 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA04326 for ; Wed, 5 Feb 1997 02:01:19 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id LAA08789 for ; Wed, 5 Feb 1997 11:01:12 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma008604; Wed Feb 5 11:00:14 1997 Received: from giga.lss.cp.philips.com (giga.lss.cp.philips.com [130.144.199.31]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id LAA27209 for ; Wed, 5 Feb 1997 11:00:13 +0100 Received: by giga.lss.cp.philips.com (8.8.5/1.63) id LAA27316; Wed, 5 Feb 1997 11:00:12 +0100 (MET) From: W.Belgers@nl.cis.philips.com (Walter Belgers) Message-Id: <199702051000.LAA27316@giga.lss.cp.philips.com> Subject: Re: NIS/uids To: freebsd-hackers@freebsd.org Date: Wed, 5 Feb 1997 11:00:12 +0100 (MET) In-Reply-To: <199702042306.QAA13339@phaeton.artisoft.com> from Terry Lambert at "Feb 4, 97 04:06:53 pm" Organisation: Origin IT Systems Management /Nederland B.V. X-URL: http://giga.lss.cp.philips.com/cgi-bin/walter.cgi X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Terry Lambert writes: > > > The problem now is that the security on my system has become dependant > > > on that of the NIS server. If I am root on the NIS server I can change > > > the uid of "user" into any user including root and make use of it on my > > > system. > > > It makes sense to me that "sensitive" user and group ID's perhaps > should not be honored when they come in via NFS... ie: user root > or bin, etc., or group bin or kmem. This has turned out to become a discussion about whether or not you should trust your NIS server, but that's not what I wanted to know. Let's assume I do not trust the uid's coming from the NIS server but I still do want to use NIS (for passwd/homedir/gecos/whatever). Why does FreeBSD give me troubles when I override the uid in the local password file? a) taking uid from NIS: [/] root@giga# grep john /etc/master.passwd +john:::::0:0:John Doe:/home/john:/usr/local/bin/tcsh [/] root@giga# ypmatch john passwd john::1234:1234:John Doe:/home/john:/bin/tcsh [/] root@giga# su - john > id uid=1234(john) gid=1234 groups=1234 > from >From walter Wed Feb 5 09:49:57 1997 > b) overriding the uid: [/] root@giga# grep john /etc/master.passwd +john::1234:1234::0:0:John Doe:/home/john:/usr/local/bin/tcsh [/] root@giga# ypmatch john passwd john::1234:1234:John Doe:/home/john:/bin/tcsh [/] root@giga# su - john > id uid=1234 gid=1234 groups=1234 > from from: no password file entry for you. > Walter. -- Ir. W.H.B. Belgers, Internet Security Specialist phone: +31 40 2782753 Origin IT Syst.Man. /Nederland bv, Bldg VN-513 email: fax: +31 40 2784697 P.O. Box 218, 5600 MD Eindhoven, Netherlands W.Belgers@nl.cis.philips.com non-business-email: walter@giga.nl -web: http://www.IAEhv.nl/users/gigawalt