[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: security issue KDM
From:       David Berner <david.berner () irisa ! fr>
Date:       2003-07-30 9:43:37
[Download RAW message or body]

> Maybe it's me, but if this is possible, the flaw is in NIS! If you can use any 
> tool, be it KDE or something else, to just log on as somebody else, the NIS 
> system is flawed. The tool itself is not to blame. 

yes, now I think too, that this is a NIS- (or a NIS configuration-) 
issue. It should not provide the list of NIS-users in the first place, 
nor trust the tool (e.g. KDE) to do the password authentication.

But still KDE should not support this kind of attack. It should not let 
the root of a local machine decide to log in a NIS user without password 
(and eventually tell the NIS about a successful login that never happended).

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]