Security Basics mailing list archives
Re: Netinfo Manager
From: Matt Burnett <marukka () mac com>
Date: Thu, 25 Sep 2003 07:42:22 -0500
NetInfo manager does not use nidump to gather information from the NetInfo database, it just uses the API provided by OS X. If you want to see for yourself goto publicsource.apple.com and look at the source code. In NeXT OS there was a feature in NetInfo were you could assign a shadow property to certain NetInfo elements like the password to prevent unprivliged users/processes from accessing the crypt(3) ciphertexts, but i belive this was disabled in OS X. A fix for this issue would be for OS X to doing something like use LDAP to query Window's Active Directory. On Tuesday, September 23, 2003, at 06:43PM, Dave Botsch <dwb7 () cornell edu> wrote:
Actually, on the OS X Labs Security webcast a while back, Apple promised that this would indeed be fixed in Panther. I have not seen a preview release to see if they did indeed fix it. On Tue, Sep 23, 2003 at 10:38:25PM +0200, Jos Kirps|EducDesign wrote:the netinfo service is kind of a database that stores information you would usually find in /etc/passwd, /etc/group and /etc/shadow files, as well as many other system info. you're right, using nidump you can display all encrypted passwords, including root, and yes, this is definately a security problem (imho). unfortunately this is not considered as a 'security flaw' by apple, it's just the way netinfo handles stuff. i don't think this will be changed in macos x 10.3 / panther. your sincerefully jos kirps On Tuesday, September 23, 2003, at 06:38 PM, Matteo wrote:Hi, I'm using Mac OS 10.2.8 Server and today I was quite surprised to see that a normal user on my server can obtain the encrypted passwords of all the user just using the command "nidump password .": bash-2.05a$ nidump passwd . nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null root:*EncryptedPass:0:0::0:0:System Administrator:/var/root:/bin/tcsh ... Isn't this a security flaw? Is Apple going to fix it in the next release of Mac OS X (Panther)? Now, how to prevent users to see the passwords of the other users? Thanks ----------------------------------------------------------------------- ---- ----------------------------------------------------------------------- ---------------------------------------------------------- EducDesign S.A. Where Learning and Technology meet 20, rue de l'Ecole, L-3233 Bettembourg Luxembourg (Europe) tel. +352 51 66 52 fax. +352 52 26 76 ----------------------------------------------------- http://www.educdesign.lu info () educdesign lu ----------------------------------------------------- IT-Services Intranet-Internet Solutions & Multimedia Innovation Managment & Project Development Consulting, Training & Coaching in IT and Education ----------------------------------------------------- --------------------------------------------------------------------------- ------------------------------------------------------------------------------ ******************************** David William Botsch dwb7 () cornell edu ******************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Netinfo Manager Matteo (Sep 23)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 23)
- Re: Netinfo Manager Dave Botsch (Sep 24)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 24)
- Re: Netinfo Manager Dave Botsch (Sep 24)
- Re: Netinfo Manager Gene Cronk (Sep 23)
- Re: Netinfo Manager Ansgar -59cobalt- Wiechers (Sep 23)
- <Possible follow-ups>
- Re: Netinfo Manager Matt Burnett (Sep 25)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 23)