home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!yale.edu!jvnc.net!darwin.sura.net!wupost!csus.edu!beach.csulb.edu!nic.csu.net!zeus!hliao
- Newsgroups: comp.sys.sun.admin
- Subject: Re: NIS security hole or something?
- Message-ID: <1992Sep15.125342.2656@nic.csu.net>
- From: hliao@zeus.calstatela.edu (Henry Liao)
- Date: 15 Sep 92 12:53:41 PDT
- References: <1992Sep15.002925.6205@bellahs.com>
- Distribution: usa
- Organization: Cal State University, Los Angeles
- Nntp-Posting-Host: zeus.calstatela.edu
- Lines: 35
-
- In article <1992Sep15.002925.6205@bellahs.com>, gfong@bellahs.com (Gary Fong RD) writes:
- ...deleted...
- |> Background:
- |>
- |> Using NIS
- |> Allow a user root access to their own Sun machine (but not server)
- |> All users' home directory is on server
- |>
- |> Problem:
- |>
- |> User can modify own /etc/passwd, add an identical entry for some existing
- |> user (obtained from NIS master server's /etc/passwd) without of course the
- |> password string, login as that user and modify that user's files.
- |>
- |> This doesn't seem to work fortunately for root. But for all the ordinary
- |> users, it does.
- |>
- |> Questions:
- |>
- |> How do we prevent this?
- Remove '+' from /etc/hosts.equiv, so there isn't any trusted
- hosts. Password is required at all time to rlogin from client to server.
- You can also use /etc/netgroup to create groups that will be trusted or
- denied for either /etc/hosts.{equiv,lpd}. Check man pages for more info.
- |>
- |> Can user somehow get root access to server or any other machine?
- Unless there is a /.rhosts exists w/ client's hostname listed.
- ...deleted...
-
- -Henry Liao o
- California State University, Los Angeles )>
- Networks & Distributed Systems Group ___./]___
- VOICE: (213) 343-4537, 343-4530 hliao@calstatela.edu
- FAX: (213) 343-4575 hliao@csula.bitnet
- #include <std/disclaimer.h>
-