[Pkg-shadow-devel] Bug#89523: Bug confirmed : NIS line changed by passwd

Tomasz Kłoczko Tomasz Kłoczko , 89523@bugs.debian.org
Fri, 1 Apr 2005 14:56:03 +0200 (CEST) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--568760595-1043221774-1112360163=:4280
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Thu, 31 Mar 2005, Christian Perrier wrote:

> package passwd
> severity 89523 minor
> tags 89523 upstream
> forwarded 89523 Tomasz K=B3oczko <kloczek@zie.pg.gda.pl>
> thanks
>=20
> I confirm that using passwd to change root's password on a system
> where the "+::::::" is the last line of /etc/passwd changes it to
> +::0:0:::
>=20
> As noted in the bug log, this seems harmless and is more an
> aesthetical bug, if this is a bug and not a feature.
>=20
> Tomasz, any input on this?

On using old compat type NIS implementation IIRC isn't possible to specify=
=20
range UIDs/GIDs which can be managed by NIS. Somerimes have NISed root=20
accout can be good feacture (I know some clustred enviroment where it is=20
used).
Latest NIS implemetation prepared by Thornsten Kukluk have ability to
specify range UIDs/GIDs managed by ypserver but only on level scripts for=
=20
converting files to NIS db files. If intruder wil have ability for=20
injectin root account directly to NIS db files this fact will not be even
reported by ypeserv. On clint side (ypbind) also in current implememtation=
=20
there is no configuration parameters which will allow force range=20
UIDs/GIDs imported from NIS server (maybe it will be good report this as=20
kind RFE for Thornsten).

Summarize: I'm not shure is classify this case as bug is correct. Maybe
document this as feacture will be better.

kloczek
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-1043221774-1112360163=:4280--