Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20100111112047.00001af0.Christoph.Pleger@cs.tu-dortmund.de>
Date: Mon, 11 Jan 2010 11:20:47 +0100
From: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE id request: GNU libc: NIS shadow password  
 leakage

Hello,

On Mon, 11 Jan 2010 10:52:08 +0100
Tomas Hoger <thoger@...hat.com> wrote:

> > No, that's not true. I have no experience with Linux NIS servers,
> > but when the NIS server runs on Solaris (Sun Microsystems is the
> > inventor of NIS), the shadow password information, which is in the
> > passwd.adjunct.byname map, on the NIS clients can only be seen by
> > root. When other users call for example "ypcat
> > passwd.adjunct.byname", they get an error message that the map does
> > not exist. Also, on Solaris NIS clients, the shadow password cannot
> > be seen with getpwnam. 
> 
> According to ypserv.conf man page [1], it is possible to restrict data
> from some map only to clients using a privileged (< 1024) source port.

Yes, and this is the default at least in Debian and Ubuntu NIS servers.

> Does Solaris possibly do the same (when configured to do so)?

I did a little testing with a Linux NIS client and a Linux
NIS server, also with the same client and a Solaris NIS server. I used
tcpdump to look at the network traffic and saw that, when ypcat is
called as root, it uses privileged ports. Of course, when called by
a non-root user, it only uses non-privileged ports.

It seems that Linux NIS servers as well as Solaris NIS servers expect
that the request is sent from a privileged port when someone wants to
look at the "secret" maps, so it is not possible for every user to
see the encrypted NIS passwords, but only for root. This is still a
security risk in an environment where every user can connect his or her
own notebook, but that's another problem.

Regards
  Christoph  

    

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.