Re: NIS Linux - Ubuntu
On Wed, Dec 26, 2007 at 09:10:00PM -0500, Lowell Gilbert wrote: Chad Perrin [EMAIL PROTECTED] writes: The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. I agree with the latter sentence, but not the former. When using NFS (without Kerberos), it is built into the protocol that the server trusts the client on the UID/GID. That is a good reason not to use NFS in an untrusted environment, but there really isn't anything FreeBSD can do about it. I'm not clear on how that makes it Ubuntu's fault -- which seems to be what you're saying, since you disagreed with the sentence in which I stated it is not strictly Ubuntu's fault. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] John Kenneth Galbraith: If all else fails, immortality can always be assured through spectacular error. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
Chad Perrin [EMAIL PROTECTED] writes: On Thu, Dec 20, 2007 at 09:32:50AM -0500, Lowell Gilbert wrote: RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. I agree with the latter sentence, but not the former. When using NFS (without Kerberos), it is built into the protocol that the server trusts the client on the UID/GID. That is a good reason not to use NFS in an untrusted environment, but there really isn't anything FreeBSD can do about it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NIS Linux - Ubuntu
On Thu, Dec 20, 2007 at 09:32:50AM -0500, Lowell Gilbert wrote: RA Cohen [EMAIL PROTECTED] writes: I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Sounds like Ubuntu is using the wrong map, probably one where it's getting a different and empty field where it expects to find a password. The behavior with an asterisk instead of an X is pretty worrisome, however, and is not strictly Ubuntu's fault. Security of a server should not rely on the good will and competence of the client developers. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Baltasar Gracian: A wise man gets more from his enemies than a fool from his friends. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NIS Linux - Ubuntu
I've read most of what is out there on NIS - Linux interoperability. Unfortunately, nothing explains what we encountered on a FreeBSD 6.2 machine running NFS and NIS: 1. FreeBSD clients work as advertised, they interpret the password maps correctly; we export the server's /usr/home filesystem and users' home directories are automatically easily available. 2. ...just installed a clean Ubuntu 7.10 (newest) and set up NIS and he's STILL able to log in as ANY user without a password and can access their network drive when it's mounted Number 2 above scared the living daylights out of me. I checked permissions on the /usr/home directories, all set to 770 (each user in in their own group). The Ubuntu client could still walk all over this filesystem. Let me be clear: any valid username (as exported by the NIS maps) was authenticated with any password. Somehow Ubuntu was given root user permissions no matter what user was logged in. When we changed the /var/yp/Makefile to create maps with an 'x' instead of an '*' this fixed the problem but also resulted in no valid logins from the Ubuntu clients at all. And I have not checked the FreeBSD client machines to see how they deal with the 'x' in the password map but that doesn't matter; what concerns me is how Ubuntu was given free access over the filesystem...That makes NIS unuseable in our environment (a public high school) because what about Mac's? and other Linux-type clients? Can anyone shed a clue on what is occurring here? Seems like a dangerous hole in FBSD's NIS implementation. I know, I should move to Kerberos/LDAP but that realistically cannot happen until the summer. Thank you in advance for your help! RA Cohen Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NIS Linux - Ubuntu
I am sorry, here is an addendum to my previous post: Somehow Ubuntu was given root user permissions Actually, upon rereading my notes, Ubuntu was only given permissions of the user doing the login - not root - but we could login with any valid user apparently FreeBSD thought it was presented with a wildcard password. And I can also verify that FreeBSD clients are able to use the password map when x is used instead of * in the map to represent the password. So I can secure the system using the x but still cannot get Ubuntu clients to authenticate. Roy Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]