local authentication spoofing using libnss-ldap

To: debian-security@lists.debian.org
Subject: local authentication spoofing using libnss-ldap
From: Yann Autissier <yann@autissier.net>
Date: Thu, 22 Dec 2011 17:01:20 +0100
Message-id: <[🔎] 4EF35450.10603@autissier.net>

Hi List,

I am using the libnss-ldap and libpam-ldap packages with default configuration.

NSS is configured to allow passwd and group resolution over ldap.

user@host:~$ cat /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

If a user account exists in local /etc/passwd and in the ldap database, the usercan authenticate with both passwords, but is always logged in as the local user.


It seems to mee that nss should resolve the correct uid.

I can create a ldap account named 'root', with a weak password and uid 12345,then su - on the system and log in as root with the weak password, and get uid 0.


It's not debian related, but I would like to know if this is a misconfiguration.

Any advice ?

Regards,
Yann

Reply to:

Follow-Ups:
- Re: local authentication spoofing using libnss-ldap
  - From: Mariusz Kruk <kruk@epsilon.eu.org>
- Re: local authentication spoofing using libnss-ldap
  - From: Arthur de Jong <adejong@debian.org>

Prev by Date: libmozjs and gnome-shell
Next by Date: Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
Previous by thread: libmozjs and gnome-shell
Next by thread: Re: local authentication spoofing using libnss-ldap
Index(es):
- Date
- Thread