Bugtraq mailing list archives
Re: nidump on OS X
From: "John C. Welch" <jwelch () MIT EDU>
Date: Wed, 18 Sep 2002 17:52:01 -0400
On 09/15/2002 17:28, "Dale Harris" <rodmur () maybe org> wrote:
Basically any normal user can get a dump of the passwd file and attempt brute force attacks on the encrypted passwds, it includes the root passwd. This problem has been around for well over a year, but Apple ignores it: http://www.securitytracker.com/alerts/2001/Jul/1001946.html http://online.securityfocus.com/archive/1/211718 Dale Harris <rodmur () maybe org> However Apple hasn't seemed to bother addressing it yet since it still persists in OS X.2 (Jaguar). You'd think they might have taken the opportunity to fix this problem with a new major release.
It's not a case of ignoring it. It's a case of it's been around since NetInfo came out. It's *far* older than a year. But NetInfo is buggy, non-standard, poorly documented and understood, and only runs on OS X/*Step systems unless you get a connector from PADL. If you look at 10.2, they are *heavily* moving to LDAP v3, which handles this sort of thing better, but unfortunately, it has to, for now, tie into NetInfo. Netinfo is bound at a very low level to the OS, and extracting it correctly will not happen quickly.
This obviously isn't such a big problem when you are dealing with only limited access desktop systems, but Xserve exists now, and I would think it'd be a bigger concern. Course you could always chmod 700 nidump.
It's an issue with NetInfo, not any one utility. john -- John C. Welch IT Manager MIT Police (617) 253 - 3093 work (508) 579 - 7380 cell (617) 253 - 8822 fax
Current thread:
- nidump on OS X Dale Harris (Sep 17)
- Re: nidump on OS X Jason A. Fager (Sep 18)
- Re: nidump on OS X Blake Watters (Sep 19)
- Re: nidump on OS X Bryan Blackburn (Sep 18)
- Re: nidump on OS X Martin (Sep 18)
- Re: nidump on OS X John C. Welch (Sep 18)
- Re: nidump on OS X Jason A. Fager (Sep 18)