Re: perl or libc6 bug?: getpwnam('root') in NIS environment
In article <cistron.19990414175741.A28772@arm.com>,
Steve Haslam <araqnid@debian.org> wrote:
>shadow passwords and NIS don't mix well.
They do, and Linux even supports it.
>Design problem with NIS- there's no
>way for the NIS server to know if a client is privileged to see the
>encrypted password or not
There is. If the request comes from a priviliged port (<1024) it must
have been a root process that did the request. That way the NIS
server can see if a process is priviliged.
You can do 2 things with that:
1. mangle the password file depending on who does the request. That's
what we do at Cistron. Behold:
picard% ypmatch miquels passwd
miquels:x:2101:10:Miquel van Smoorenburg:/home/staff/miquels:/usr/bin/zsh
picard% su -m
Password:
picard# ypmatch miquels passwd
miquels:u3.HeDpspFi26:2101:10:Miquel van Smoorenburg:/home/staff/miquels:/usr/bin/zsh
2. You can decide wether or not to serve the shadow password file
based on the port number the request originated from.
Modern Linux NIS servers support both. Glibc supports NIS shadow maps as well.
Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
Reply to: