oss-sec mailing list archives
Re: CVE id request: GNU libc: NIS shadow password leakage
From: Christoph Pleger <Christoph.Pleger () cs tu-dortmund de>
Date: Mon, 11 Jan 2010 11:20:47 +0100
Hello, On Mon, 11 Jan 2010 10:52:08 +0100 Tomas Hoger <thoger () redhat com> wrote:
No, that's not true. I have no experience with Linux NIS servers, but when the NIS server runs on Solaris (Sun Microsystems is the inventor of NIS), the shadow password information, which is in the passwd.adjunct.byname map, on the NIS clients can only be seen by root. When other users call for example "ypcat passwd.adjunct.byname", they get an error message that the map does not exist. Also, on Solaris NIS clients, the shadow password cannot be seen with getpwnam.According to ypserv.conf man page [1], it is possible to restrict data from some map only to clients using a privileged (< 1024) source port.
Yes, and this is the default at least in Debian and Ubuntu NIS servers.
Does Solaris possibly do the same (when configured to do so)?
I did a little testing with a Linux NIS client and a Linux NIS server, also with the same client and a Solaris NIS server. I used tcpdump to look at the network traffic and saw that, when ypcat is called as root, it uses privileged ports. Of course, when called by a non-root user, it only uses non-privileged ports. It seems that Linux NIS servers as well as Solaris NIS servers expect that the request is sent from a privileged port when someone wants to look at the "secret" maps, so it is not possible for every user to see the encrypted NIS passwords, but only for root. This is still a security risk in an environment where every user can connect his or her own notebook, but that's another problem. Regards Christoph
Current thread:
- CVE id request: GNU libc: NIS shadow password leakage Aurelien Jarno (Jan 07)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Tomas Hoger (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 11)
- Re: CVE id request: GNU libc: NIS shadow password leakage Christoph Pleger (Jan 08)
- Re: CVE id request: GNU libc: NIS shadow password leakage Josh Bressers (Jan 08)