Bug#89523: [Pkg-shadow-devel] Bug#89523: Bug confirmed : NIS line changed by passwd
Christian Perrier
Christian Perrier <bubulle@debian.org>, 89523@bugs.debian.org
Sat, 2 Apr 2005 10:28:13 +0200
> > I confirm that using passwd to change root's password on a system
> > where the "+::::::" is the last line of /etc/passwd changes it to
> > +::0:0:::
> >
> > As noted in the bug log, this seems harmless and is more an
> > aesthetical bug, if this is a bug and not a feature.
> >
> > Tomasz, any input on this?
>
> On using old compat type NIS implementation IIRC isn't possible to specify
> range UIDs/GIDs which can be managed by NIS. Somerimes have NISed root
> accout can be good feacture (I know some clustred enviroment where it is
> used).
So, what you're telling us here is that these "0"'s define a range of
UID/GIDs which are managed (or excluded?) by NIS.
> Latest NIS implemetation prepared by Thornsten Kukluk have ability to
> specify range UIDs/GIDs managed by ypserver but only on level scripts for
> converting files to NIS db files. If intruder wil have ability for
> injectin root account directly to NIS db files this fact will not be even
> reported by ypeserv. On clint side (ypbind) also in current implememtation
> there is no configuration parameters which will allow force range
> UIDs/GIDs imported from NIS server (maybe it will be good report this as
> kind RFE for Thornsten).
>
> Summarize: I'm not shure is classify this case as bug is correct. Maybe
> document this as feacture will be better.
The feature would then be passwd disabling the root password injection
to NIS. Am I right? Not all this is very clear to me...:-)