Date: Thu, 6 Feb 1997 14:16:58 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: W.Belgers@nl.cis.philips.com (Walter Belgers) Cc: terry@lambert.org, freebsd-hackers@freebsd.org Subject: Re: NIS/uids Message-ID: <199702062116.OAA17845@phaeton.artisoft.com> In-Reply-To: <199702060842.JAA26171@giga.lss.cp.philips.com> from "Walter Belgers" at Feb 6, 97 09:42:07 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Let's assume I do not trust the uid's coming from the NIS server but I > > > still do want to use NIS (for passwd/homedir/gecos/whatever). > > > > Then you have the same problem, this time with associating a > > particular password with a particular name. All you have done is > > trade the association with uid for an association with name. There > > is nothing the prevents me, as an NIS server, from returning the > > password "frobozz" (encrypted, of course) for every user, regardless > > of their real password. > > That's right. But at least you could only become one of the NIS users of > which none is in wheel. I can live with people hacking the NIS server > and getting access to my machine, I won't have people becoming root. Couldn't I add the user to "wheel" or "kmem" in the NIS groups file anyway? I still like the idea of a list of groups and uids that won't be honored via NIS. > > Mostly because if I compromise the NIS server, > > then I can force you to accept any password for any user/password pair, > > and thereby become any user/id pair, so it doesn't give you the protection > > you are trying to get it to give you. > > I have no "+" in my password file, only "+user", so you can only hack > those users, not the users that are only locally in my password file. So > it does give the desired protection. Do you do "+group" in the group file, as well? I suppose you have to... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702062116.OAA17845>