[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: casper linux bashing?
From:       jonesr () latcs1 ! cs ! latrobe ! edu ! au (Richard Jones)
Date:       1996-05-22 3:54:48
[Download RAW message or body]


> Path: lion.cs.latrobe.edu.au!lugb.latrobe.edu.au!harbinger.cc.monash.edu.au!nntp.coa \
> st.net!news.kei.com!newsfeed.internetmci.com!howland.reston.ans.net!EU.net!sun4nl!fwi.uva.nl!not-for-mail
>                 
> From: casper@fwi.uva.nl (Casper H.S. Dik)
> Newsgroups: comp.security.unix
> Subject: Re: Ohh, the old plus colon colon trick again.
> Date: 19 May 1996 15:47:33 +0200
> Organization: Sun Microsystems, Netherlands
> Lines: 72
> Distribution: world
> Message-ID: <4nn8pl$kni@mail.fwi.uva.nl>
> References: <acspring-1405962113500001@pool053.max6.los-angeles.ca.dynip.alter.net> \
> <4nc4f8$8ge@vampire.xinit.se> \
>                 <acspring-1505962334130001@pool050.max6.los-angeles.ca.dynip.alter.net>
>                 
> NNTP-Posting-Host: mail.fwi.uva.nl

acspring@earthlink.net (Andrew Spring) writes:

> In article <4nc4f8$8ge@vampire.xinit.se>, jor@xinit.se (Joakim Rastberg) wrote:


> > Or... you could read the man(4) for passwd, in particular the section
> > where it describes the use of a "+" in a nis/yp environment.
> > 

> Or you could read _Practical Unix Security_ by Garfinkel and Spafford,
> O'Reilly and Associates, page 257 :

Except that practical Unix Security is *wrong*.

> "If you use NIS, be very careful that the plus sign is in the /etc/passwd
> file of your Clients, and not your Servers.  On a NIS server, there is 
> nothing special about the plus sign, and it's interpreted as a user name.
> Be sure the the following line is *not* in the /etc/passwd file of your 
> server (or any other machine):

> +::0:0:::            _Wrong_

This is the *only* entry that will work right on Sun's implementation of
NIS (SunOS 4 , or SunOS 5 with "compat" in nsswitch.conf).

That's about as cannonical as it gets.





> If the above line is in your /etc/passwd file, it will allow anybody to 
> log into your server by typing a plus sign (+) at the login: prompt.  You 
> can minimize this danger by always including a password field for the 
> "plus" user. Specify the plus sign line in the form:

Only on systems that are broken (though I must admit that if you don't use
"compat" in Solaris 2.x, you may get in as "nobody"; I'll see if I can get
them to fix that).

It's better not to have any + entries in /etc/passwd if you don't run NIS.
> +:*:0:0:::        _On NIS clients only_

On Sun's "reference" implementation, this will make it impossible for
any user to login; the non-uid/gid entries in the NIS entries take precedence
over the values from the NIS map, that is useful for having uid->name mappings
without allowing user logins.

> Otherwise, if the NIS server fails, some implementations will allow you to
> log in as root simply by using "+" as the user name.

Unfortunately, it will totally disallow logins in Sun's implementation.
Any implementation that doesn't "fail-safe" is broken, IMHO.

> Thanks for being so condescending.   It irritated me enough to dig through
> the back of my closet for the book, which I what I should have done in the
> first place.

I hope I've made clear why I think that the book is wrong; I hop eit was
changed in the latest release, I don't need to spend more time helping people
telling me that they've read "Practical Unix Security" but now can no longer
log in.  (It's still a book I recommend, but even the best books have errors)

It's interesting to see how Linux reimplemented this bug, long after the
book appeared.

Casper
-- 
Casper Dik - Sun Microsystems - via my guest account at the University
of Amsterdam.  My work e-mail address is: Casper.Dik@Holland.Sun.COM
Statements on Sun products included here are not gospel and may
be fiction rather than truth.


[prev in list] [next in list] [prev in thread] [next in thread]