Date: Thu, 6 Feb 1997 09:42:07 +0100 (MET) From: W.Belgers@nl.cis.philips.com (Walter Belgers) To: terry@lambert.org (Terry Lambert) Cc: freebsd-hackers@freebsd.org Subject: Re: NIS/uids Message-ID: <199702060842.JAA26171@giga.lss.cp.philips.com> In-Reply-To: <199702052112.OAA15553@phaeton.artisoft.com> from Terry Lambert at "Feb 5, 97 02:12:46 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert writes: > > Let's assume I do not trust the uid's coming from the NIS server but I > > still do want to use NIS (for passwd/homedir/gecos/whatever). > > Then you have the same problem, this time with associating a > particular password with a particular name. All you have done is > trade the association with uid for an association with name. There > is nothing the prevents me, as an NIS server, from returning the > password "frobozz" (encrypted, of course) for every user, regardless > of their real password. That's right. But at least you could only become one of the NIS users of which none is in wheel. I can live with people hacking the NIS server and getting access to my machine, I won't have people becoming root. > > Why does FreeBSD give me troubles when I override the uid in the local > > password file? > > It wasn't a case which was considered to ever be anything someone would > want to do, I believe. I have to admit it's not something people will normally do. But I would expect it to work. > Mostly because if I compromise the NIS server, > then I can force you to accept any password for any user/password pair, > and thereby become any user/id pair, so it doesn't give you the protection > you are trying to get it to give you. I have no "+" in my password file, only "+user", so you can only hack those users, not the users that are only locally in my password file. So it does give the desired protection. > PS: Do not start a line with a naked "From". I think that's what screwed > up the other guy's mail filter for his Pine. Indeed I think it did. Normally elm would put in a '>' or put in a Content-length header. > Terry Lambert Walter. -- Ir. W.H.B. Belgers, Internet Security Specialist phone: +31 40 2782753 Origin IT Syst.Man. /Nederland bv, Bldg VN-513 email: fax: +31 40 2784697 P.O. Box 218, 5600 MD Eindhoven, Netherlands W.Belgers@nl.cis.philips.com non-business-email: walter@giga.nl -web: http://www.IAEhv.nl/users/gigawalt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702060842.JAA26171>