Re: perl or libc6 bug?: getpwnam('root') in NIS environment

[Miquel van Smoorenburg <miquels@cistron.nl>]

According to Ben Gertzfield:
> >>>>> "Miquel" == Miquel van Smoorenburg <miquels@cistron.nl> writes:
> 
>     Miquel> There is. If the request comes from a priviliged port
>     Miquel> (<1024) it must have been a root process that did the
>     Miquel> request. That way the NIS server can see if a process is
>     Miquel> priviliged.
> 
>     Miquel> 1. mangle the password file depending on who does the
>     Miquel> request. That's what we do at Cistron. Behold:
> 
> This is a really lame way of doing security, IMHO. :) If you're on a
> windows or mac box, there's nothing stopping you from binding on ports
> < 1024.

There is. You setup /etc/ypserv.conf or /etc/ypserv.securenets so
that only a few listed machines have access to the NIS server. Random
windows or mac boxes do NOT have access to anything on my ethernet.
Plus we're using switched ethernet - no tapping.

> Same thing for determining who made the request; identd
> is only meaningful on a windows box.

You mean that it's not meaningful on a windows box. It's useless for
NIS aas well - it's too slow. I've tried to use ident for NIS
security - slow, as I said.

> NIS is just full of holes

It's not any less safer as pop3, telnet, rlogin, or any other of
those old-style protocols

> really. NIS+ is theoretically better

Yes, like ssh, kerberos, etc, and any other of those new-style protocols

Unfortunately Debian is mostly US-based and any safe protocols are
treated like ammuniton. You can't export that even though the rest of the
world alrady has it (or even invented it).

[deleted obvious gun remark I was going to put here]

Mike.
-- 
Indifference will certainly be the downfall of mankind, but who cares?