Re: CVE id request: GNU libc: NIS shadow password leakage

[Christoph Pleger <Christoph.Pleger () cs tu-dortmund de>]

Hello,

On Mon, 11 Jan 2010 10:52:08 +0100
Tomas Hoger <thoger () redhat com> wrote:

> > No, that's not true. I have no experience with Linux NIS servers,
> > but when the NIS server runs on Solaris (Sun Microsystems is the
> > inventor of NIS), the shadow password information, which is in the
> > passwd.adjunct.byname map, on the NIS clients can only be seen by
> > root. When other users call for example "ypcat
> > passwd.adjunct.byname", they get an error message that the map does
> > not exist. Also, on Solaris NIS clients, the shadow password cannot
> > be seen with getpwnam. 
>
> According to ypserv.conf man page [1], it is possible to restrict data
> from some map only to clients using a privileged (< 1024) source port.

Yes, and this is the default at least in Debian and Ubuntu NIS servers.

> Does Solaris possibly do the same (when configured to do so)?

I did a little testing with a Linux NIS client and a Linux
NIS server, also with the same client and a Solaris NIS server. I used
tcpdump to look at the network traffic and saw that, when ypcat is
called as root, it uses privileged ports. Of course, when called by
a non-root user, it only uses non-privileged ports.

It seems that Linux NIS servers as well as Solaris NIS servers expect
that the request is sent from a privileged port when someone wants to
look at the "secret" maps, so it is not possible for every user to
see the encrypted NIS passwords, but only for root. This is still a
security risk in an environment where every user can connect his or her
own notebook, but that's another problem.

Regards
  Christoph