From owner-freebsd-hackers Thu Feb 6 13:20:24 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA06192 for hackers-outgoing; Thu, 6 Feb 1997 13:20:24 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA06182 for ; Thu, 6 Feb 1997 13:20:17 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id OAA17845; Thu, 6 Feb 1997 14:16:58 -0700 From: Terry Lambert Message-Id: <199702062116.OAA17845@phaeton.artisoft.com> Subject: Re: NIS/uids To: W.Belgers@nl.cis.philips.com (Walter Belgers) Date: Thu, 6 Feb 1997 14:16:58 -0700 (MST) Cc: terry@lambert.org, freebsd-hackers@freebsd.org In-Reply-To: <199702060842.JAA26171@giga.lss.cp.philips.com> from "Walter Belgers" at Feb 6, 97 09:42:07 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > Let's assume I do not trust the uid's coming from the NIS server but I > > > still do want to use NIS (for passwd/homedir/gecos/whatever). > > > > Then you have the same problem, this time with associating a > > particular password with a particular name. All you have done is > > trade the association with uid for an association with name. There > > is nothing the prevents me, as an NIS server, from returning the > > password "frobozz" (encrypted, of course) for every user, regardless > > of their real password. > > That's right. But at least you could only become one of the NIS users of > which none is in wheel. I can live with people hacking the NIS server > and getting access to my machine, I won't have people becoming root. Couldn't I add the user to "wheel" or "kmem" in the NIS groups file anyway? I still like the idea of a list of groups and uids that won't be honored via NIS. > > Mostly because if I compromise the NIS server, > > then I can force you to accept any password for any user/password pair, > > and thereby become any user/id pair, so it doesn't give you the protection > > you are trying to get it to give you. > > I have no "+" in my password file, only "+user", so you can only hack > those users, not the users that are only locally in my password file. So > it does give the desired protection. Do you do "+group" in the group file, as well? I suppose you have to... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.