Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)
Benjamin Cline (benji@haven.boston.ma.us)
Sat, 15 Apr 1995 11:20:07 -0400 (EDT)
According to Dale Babiy:
>
> On Wed, 12 Apr 1995, der Mouse wrote:
>
> > > Is there a "better" NIS [...]
> >
> > I'd be interested in hearing about any such. I'm almost ready to try
> > my hand at writing one myself, but so far the perceived need has not
> > yet been sufficient to make me allocate the time.
>
> We're running NeXTStep here, do you, or anyone else for that matter, know
> of any security holes concerning the NetInfo NIS(type) system that deals
> with our local information sharing?
>
> So far we've been lucky, I'd like to stop being lucky and start being
> resonably intelligent.
>
I don't know of any gaping, obvious holes in NetInfo, although I have yet to
really sit down and try to find any (which is on my list of things to get to,
some day).
You should enable the "Limit information to local network" option (see the
on-line sys-admin docs for information on just how to do this (I don't remember
off the top of my head :-)). Also, because NetInfo is rpc based, you would be
well advised to protect your network with a filtering bridge or router. As is
typical for rpc based services, NetInfo doesn't use any fixed port, so I very
muchs suggest a filtering strategy of blocking everything except that which
is expressly permitted.
And while I'm at it, I believe NeXT's portmap suffers from the bug that it will
allow complete NFS access for any packets claiming to be from the loopback
address (once again, this is something I need to test and verify).
benji
--
Benjamin R. Cline Large Furry Mammal benji@haven.boston.ma.us
Never set sail with two opinions, always take one or three.
Government should be like bamboo: strong, light, flexible