From owner-freebsd-hackers Fri Feb 7 02:45:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA17605 for hackers-outgoing; Fri, 7 Feb 1997 02:45:41 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA17556 for ; Fri, 7 Feb 1997 02:45:36 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id CAA21738 for ; Fri, 7 Feb 1997 02:18:01 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id LAA05333; Fri, 7 Feb 1997 11:16:24 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma005152; Fri Feb 7 11:15:57 1997 Received: from giga.lss.cp.philips.com (giga.lss.cp.philips.com [130.144.199.31]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id LAA22086; Fri, 7 Feb 1997 11:15:53 +0100 Received: by giga.lss.cp.philips.com (8.8.5/1.63) id LAA03051; Fri, 7 Feb 1997 11:15:52 +0100 (MET) From: W.Belgers@nl.cis.philips.com (Walter Belgers) Message-Id: <199702071015.LAA03051@giga.lss.cp.philips.com> Subject: Re: NIS/uids To: terry@lambert.org (Terry Lambert) Date: Fri, 7 Feb 1997 11:15:52 +0100 (MET) Cc: freebsd-hackers@FreeBSD.ORG In-Reply-To: <199702062116.OAA17845@phaeton.artisoft.com> from Terry Lambert at "Feb 6, 97 02:16:58 pm" Organisation: Origin IT Systems Management /Nederland B.V. X-URL: http://giga.lss.cp.philips.com/cgi-bin/walter.cgi X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Terry Lambert writes: > > > > Let's assume I do not trust the uid's coming from the NIS server but I > > > > still do want to use NIS (for passwd/homedir/gecos/whatever). > > > > Couldn't I add the user to "wheel" or "kmem" in the NIS groups file > anyway? If I do not override the gid in the local password file, a user could indeed put himself in wheel and be in wheel on my local machine as well. > I still like the idea of a list of groups and uids that won't be > honored via NIS. Or maybe make an exception for uid 0. > > I have no "+" in my password file, only "+user", so you can only hack > > those users, not the users that are only locally in my password file. So > > it does give the desired protection. > > Do you do "+group" in the group file, as well? I suppose you have to... No, I don't mind wether or not all gids are in the group file. If a NIS user is in group 999 which doesn't locally exists, so be it. > Terry Lambert Walter. -- Ir. W.H.B. Belgers, Internet Security Specialist phone: +31 40 2782753 Origin IT Syst.Man. /Nederland bv, Bldg VN-513 email: fax: +31 40 2784697 P.O. Box 218, 5600 MD Eindhoven, Netherlands W.Belgers@nl.cis.philips.com non-business-email: walter@giga.nl & -web: http://www.IAEhv.nl/users/gigawalt