From owner-freebsd-hackers Thu Feb 6 00:44:11 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA17739 for hackers-outgoing; Thu, 6 Feb 1997 00:44:11 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA17701 for ; Thu, 6 Feb 1997 00:44:05 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id JAA29556; Thu, 6 Feb 1997 09:42:36 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma029505; Thu Feb 6 09:42:09 1997 Received: from giga.lss.cp.philips.com (giga.lss.cp.philips.com [130.144.199.31]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id JAA14528; Thu, 6 Feb 1997 09:42:07 +0100 Received: by giga.lss.cp.philips.com (8.8.5/1.63) id JAA26171; Thu, 6 Feb 1997 09:42:07 +0100 (MET) From: W.Belgers@nl.cis.philips.com (Walter Belgers) Message-Id: <199702060842.JAA26171@giga.lss.cp.philips.com> Subject: Re: NIS/uids To: terry@lambert.org (Terry Lambert) Date: Thu, 6 Feb 1997 09:42:07 +0100 (MET) Cc: freebsd-hackers@freebsd.org In-Reply-To: <199702052112.OAA15553@phaeton.artisoft.com> from Terry Lambert at "Feb 5, 97 02:12:46 pm" Organisation: Origin IT Systems Management /Nederland B.V. X-URL: http://giga.lss.cp.philips.com/cgi-bin/walter.cgi X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Terry Lambert writes: > > Let's assume I do not trust the uid's coming from the NIS server but I > > still do want to use NIS (for passwd/homedir/gecos/whatever). > > Then you have the same problem, this time with associating a > particular password with a particular name. All you have done is > trade the association with uid for an association with name. There > is nothing the prevents me, as an NIS server, from returning the > password "frobozz" (encrypted, of course) for every user, regardless > of their real password. That's right. But at least you could only become one of the NIS users of which none is in wheel. I can live with people hacking the NIS server and getting access to my machine, I won't have people becoming root. > > Why does FreeBSD give me troubles when I override the uid in the local > > password file? > > It wasn't a case which was considered to ever be anything someone would > want to do, I believe. I have to admit it's not something people will normally do. But I would expect it to work. > Mostly because if I compromise the NIS server, > then I can force you to accept any password for any user/password pair, > and thereby become any user/id pair, so it doesn't give you the protection > you are trying to get it to give you. I have no "+" in my password file, only "+user", so you can only hack those users, not the users that are only locally in my password file. So it does give the desired protection. > PS: Do not start a line with a naked "From". I think that's what screwed > up the other guy's mail filter for his Pine. Indeed I think it did. Normally elm would put in a '>' or put in a Content-length header. > Terry Lambert Walter. -- Ir. W.H.B. Belgers, Internet Security Specialist phone: +31 40 2782753 Origin IT Syst.Man. /Nederland bv, Bldg VN-513 email: fax: +31 40 2784697 P.O. Box 218, 5600 MD Eindhoven, Netherlands W.Belgers@nl.cis.philips.com non-business-email: walter@giga.nl -web: http://www.IAEhv.nl/users/gigawalt