[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: perl or libc6 bug?: getpwnam('root') in NIS environment

On Wed, Apr 14, 1999 at 05:57:41PM +0100, Steve Haslam wrote:
> shadow passwords and NIS don't mix well. Design problem with NIS- there's no
> way for the NIS server to know if a client is privileged to see the
> encrypted password or not, so it's always got to be put in.

The Linux nis server get's around this by having a seperate shadow map
and restricting access to requests originating below port 1024 (ie, a
priviledged port from root on the remote system) and further it can
lock down requests to only to the local subnet.

While this is not a perfect system, it prevents such occurences unless
the user knows what they are doing (or know enough to find a script to
do it for them).

Bottom line, you are correct, NIS is not secure, which is why it will
eventually become obsolete by things like DCE and LDAP.

--
-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <b.m.collins@larc.nasa.gov>                  Debian GNU/Linux
OpenLDAP Core - bcollins@openldap.org                 bcollins@debian.org
UnixGroup Admin - Jordan Systems         The Choice of the GNU Generation
------ -- ----- - - -------   ------- -- ---- - -------- - --- ---- -  --
Reply to: