|
Message-Id: <20100111112047.00001af0.Christoph.Pleger@cs.tu-dortmund.de> Date: Mon, 11 Jan 2010 11:20:47 +0100 From: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de> To: Tomas Hoger <thoger@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE id request: GNU libc: NIS shadow password leakage Hello, On Mon, 11 Jan 2010 10:52:08 +0100 Tomas Hoger <thoger@...hat.com> wrote: > > No, that's not true. I have no experience with Linux NIS servers, > > but when the NIS server runs on Solaris (Sun Microsystems is the > > inventor of NIS), the shadow password information, which is in the > > passwd.adjunct.byname map, on the NIS clients can only be seen by > > root. When other users call for example "ypcat > > passwd.adjunct.byname", they get an error message that the map does > > not exist. Also, on Solaris NIS clients, the shadow password cannot > > be seen with getpwnam. > > According to ypserv.conf man page [1], it is possible to restrict data > from some map only to clients using a privileged (< 1024) source port. Yes, and this is the default at least in Debian and Ubuntu NIS servers. > Does Solaris possibly do the same (when configured to do so)? I did a little testing with a Linux NIS client and a Linux NIS server, also with the same client and a Solaris NIS server. I used tcpdump to look at the network traffic and saw that, when ypcat is called as root, it uses privileged ports. Of course, when called by a non-root user, it only uses non-privileged ports. It seems that Linux NIS servers as well as Solaris NIS servers expect that the request is sent from a privileged port when someone wants to look at the "secret" maps, so it is not possible for every user to see the encrypted NIS passwords, but only for root. This is still a security risk in an environment where every user can connect his or her own notebook, but that's another problem. Regards Christoph
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.