Re: perl or libc6 bug?: getpwnam('root') in NIS environment
According to Ben Gertzfield:
> >>>>> "Miquel" == Miquel van Smoorenburg <miquels@cistron.nl> writes:
>
> Miquel> There is. If the request comes from a priviliged port
> Miquel> (<1024) it must have been a root process that did the
> Miquel> request. That way the NIS server can see if a process is
> Miquel> priviliged.
>
> Miquel> 1. mangle the password file depending on who does the
> Miquel> request. That's what we do at Cistron. Behold:
>
> This is a really lame way of doing security, IMHO. :) If you're on a
> windows or mac box, there's nothing stopping you from binding on ports
> < 1024.
There is. You setup /etc/ypserv.conf or /etc/ypserv.securenets so
that only a few listed machines have access to the NIS server. Random
windows or mac boxes do NOT have access to anything on my ethernet.
Plus we're using switched ethernet - no tapping.
> Same thing for determining who made the request; identd
> is only meaningful on a windows box.
You mean that it's not meaningful on a windows box. It's useless for
NIS aas well - it's too slow. I've tried to use ident for NIS
security - slow, as I said.
> NIS is just full of holes
It's not any less safer as pop3, telnet, rlogin, or any other of
those old-style protocols
> really. NIS+ is theoretically better
Yes, like ssh, kerberos, etc, and any other of those new-style protocols
Unfortunately Debian is mostly US-based and any safe protocols are
treated like ammuniton. You can't export that even though the rest of the
world alrady has it (or even invented it).
[deleted obvious gun remark I was going to put here]
Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
Reply to: