Bug#89523: [Pkg-shadow-devel] Bug#89523: Bug confirmed : NIS line changed by passwd

Tomasz Kłoczko Tomasz Kłoczko , 89523@bugs.debian.org
Sat, 2 Apr 2005 11:56:38 +0200 (CEST) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--568760595-698218487-1112434014=:19752
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.61L.0504021129221.19752@boss.zie.pg.gda.pl>

On Sat, 2 Apr 2005, Christian Perrier wrote:
[..]
> > Latest NIS implemetation prepared by Thornsten Kukluk have ability to
> > specify range UIDs/GIDs managed by ypserver but only on level scripts f=
or=20
> > converting files to NIS db files. If intruder wil have ability for=20
> > injectin root account directly to NIS db files this fact will not be ev=
en
> > reported by ypeserv. On clint side (ypbind) also in current implememtat=
ion=20
> > there is no configuration parameters which will allow force range=20
> > UIDs/GIDs imported from NIS server (maybe it will be good report this a=
s=20
> > kind RFE for Thornsten).
> >=20
> > Summarize: I'm not shure is classify this case as bug is correct. Maybe
> > document this as feacture will be better.
> =20
> The feature would then be passwd disabling the root password injection
> to NIS. Am I right? Not all this is very clear to me...:-)

Sorry .. I'm still lerning english :)

On NIS client side there is no code for allow import only specified range=
=20
of UIDs/GIDs from NIS server. If ypserv will have in db files registered
information about UID/GID=3D0 client will import this and only order of=20
entries in groups, passwd, shadow maps in /etc/nsswitch.conf will specify
from where this informatiom will be sucked.
If you will have in /etc/nsswitch.conf:

passwd:=09files nis
group:=09files nis
shadow:=09files nis

you will have root account with properties from local /etc/{passwd,group,sh=
adow}.
If order will be diffrent like:

passwd:=09nis files
group:=09nis files
shadow:=09nis files

You will have NISed root (if network is up). And for clarify *this* it=20
will be good document somewhere. As I sayd before this is not bug .. more=
=20
feacture :) For example for clustered enviroment have NISed/LDAPed root=20
account if netfork is up is very good feacture :)

But yes .. it will be good also have NIS client and server configuration=20
parameters for allow force export by NIS serwer and/or import by NIS
client (ypbind) only specyfied ranges of UIDs/GIDs.

I think (now) .. other way for solve this generaly can be probably
extendind /etc/nsswitch.conf syntax for allow in central point=20
(independently from NIS, LDAP, SQL etc) configure range
UIDs/GIDs imported from NSS maps.

kloczek
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-698218487-1112434014=:19752--