On Sat, 2 Apr 2005, Christian Perrier wrote:
[..]
> > Latest NIS implemetation prepared by Thornsten Kukluk have ability to
> > specify range UIDs/GIDs managed by ypserver but only on level scripts for
> > converting files to NIS db files. If intruder wil have ability for
> > injectin root account directly to NIS db files this fact will not be even
> > reported by ypeserv. On clint side (ypbind) also in current implememtation
> > there is no configuration parameters which will allow force range
> > UIDs/GIDs imported from NIS server (maybe it will be good report this as
> > kind RFE for Thornsten).
> >
> > Summarize: I'm not shure is classify this case as bug is correct. Maybe
> > document this as feacture will be better.
>
> The feature would then be passwd disabling the root password injection
> to NIS. Am I right? Not all this is very clear to me...:-)
Sorry .. I'm still lerning english :)
On NIS client side there is no code for allow import only specified range
of UIDs/GIDs from NIS server. If ypserv will have in db files registered
information about UID/GID=0 client will import this and only order of
entries in groups, passwd, shadow maps in /etc/nsswitch.conf will specify
from where this informatiom will be sucked.
If you will have in /etc/nsswitch.conf:
passwd: files nis
group: files nis
shadow: files nis
you will have root account with properties from local
/etc/{passwd,group,shadow}.
If order will be diffrent like:
passwd: nis files
group: nis files
shadow: nis files
You will have NISed root (if network is up). And for clarify *this* it
will be good document somewhere. As I sayd before this is not bug .. more
feacture :) For example for clustered enviroment have NISed/LDAPed root
account if netfork is up is very good feacture :)
But yes .. it will be good also have NIS client and server configuration
parameters for allow force export by NIS serwer and/or import by NIS
client (ypbind) only specyfied ranges of UIDs/GIDs.
I think (now) .. other way for solve this generaly can be probably
extendind /etc/nsswitch.conf syntax for allow in central point
(independently from NIS, LDAP, SQL etc) configure range
UIDs/GIDs imported from NSS maps.
kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: [EMAIL PROTECTED]
