Re: OT: Is it so easy to break into an NIS?

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: OT: Is it so easy to break into an NIS?
From: Keegan Quinn <kquinn@respond2.com>
Date: Tue, 18 Mar 2003 16:35:25 -0800
Message-id: <[🔎] 200303181635.25750.kquinn@respond2.com>
In-reply-to: <[🔎] 20030319021313.40a60301.haim@consonet.com>
References: <[🔎] 20030319021313.40a60301.haim@consonet.com>

On Tuesday 18 March 2003 04:13 pm, Haim Ashkenazi wrote:
> Hi
Hello,

> A friend just asked me this question and I got curious. say I'm equipped
> with a linux laptop and some knowledge, I can walk into a company that uses
> NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join
> their domain. now I can login as root on my computer, su to any user and
> see/change/delete his files. is it that easy?

Yes, quite.  NIS uses no authentication whatsoever.

> of-course, administrators should protect their mounts with netgroups
> permissions, and users should protect their important files with
> encryption, but how many of these you see?

Not many.  The problems you describe above are well-known.

> any ideas? suggestions?

Use LDAP and Kerberos instead of NIS.  They are equally or better supported
in every situation I know of.

- Keegan

Reply to:

References:
- OT: Is it so easy to break into an NIS?
  - From: Haim Ashkenazi <haim@consonet.com>

Prev by Date: OT: Is it so easy to break into an NIS?
Next by Date: Re: OT: Is it so easy to break into an NIS?
Previous by thread: OT: Is it so easy to break into an NIS?
Next by thread: Re: OT: Is it so easy to break into an NIS?
Index(es):
- Date
- Thread