Re: Netinfo Manager

[Matt Burnett <marukka () mac com>]

NetInfo manager does not use nidump to gather information from the NetInfo database, it just uses the API provided by 
OS X. If you want to see for yourself goto publicsource.apple.com and look at the source code. In NeXT OS there was a 
feature in NetInfo were you could assign a shadow property to certain NetInfo elements like the password to prevent 
unprivliged users/processes from accessing the crypt(3) ciphertexts, but i belive this was disabled in OS X. A fix for 
this issue would  be for OS X to doing something like use LDAP to query Window's Active Directory.

On Tuesday, September 23, 2003, at 06:43PM, Dave Botsch <dwb7 () cornell edu> wrote:

> Actually, on the OS X Labs Security webcast a while back, Apple promised that
> this would indeed be fixed in Panther. I have not seen a preview release to see
> if they did indeed fix it.
>
> On Tue, Sep 23, 2003 at 10:38:25PM +0200, Jos Kirps|EducDesign wrote:
> > the netinfo service is kind of a database that stores information you  
> > would
> > usually find in /etc/passwd, /etc/group and /etc/shadow files, as well  
> > as
> > many other system info.
> >
> > you're right, using nidump you can display all encrypted passwords,  
> > including
> > root, and yes, this is definately a security problem (imho).  
> > unfortunately this is
> > not considered as a 'security flaw' by apple, it's just the way netinfo  
> > handles
> > stuff. i don't think this will be changed in macos x 10.3 / panther.
> >
> > your sincerefully
> > jos kirps
> >
> > On Tuesday, September 23, 2003, at 06:38 PM, Matteo wrote:
> >
> > > Hi,
> > >
> > > I'm using Mac OS 10.2.8 Server and today I was quite surprised to see  
> > > that a normal user on my server can obtain the encrypted passwords of  
> > > all the user just using the command "nidump password .":
> > >
> > > bash-2.05a$ nidump passwd .
> > > nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null
> > > root:*EncryptedPass:0:0::0:0:System Administrator:/var/root:/bin/tcsh
> > > ...
> > >
> > > Isn't this a security flaw? Is Apple going to fix it in the next  
> > > release of Mac OS X (Panther)? Now, how to prevent users to see the  
> > > passwords of the other users?
> > >
> > > Thanks
> > >
> > >
> > > ----------------------------------------------------------------------- 
> > > ----
> > > ----------------------------------------------------------------------- 
> > > -----
> > -----------------------------------------------------
> > EducDesign S.A.
> > Where Learning and Technology meet
> >
> > 20, rue de l'Ecole, L-3233 Bettembourg
> > Luxembourg (Europe)
> > tel. +352 51 66 52
> > fax. +352 52 26 76
> > -----------------------------------------------------
> > http://www.educdesign.lu
> > info () educdesign lu
> > -----------------------------------------------------
> > IT-Services
> > Intranet-Internet Solutions & Multimedia
> > Innovation Managment & Project Development
> > Consulting, Training & Coaching in IT and Education
> > -----------------------------------------------------
> >
> >
> > ---------------------------------------------------------------------------
> > ----------------------------------------------------------------------------
>
> -- 
> ********************************
> David William Botsch
> dwb7 () cornell edu
> ********************************
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------