From kde-devel  Wed Jul 30 10:39:38 2003
From: Thiago Macieira <thiagom () wanadoo ! fr>
Date: Wed, 30 Jul 2003 10:39:38 +0000
To: kde-devel
Subject: Re: security issue KDM
X-MARC-Message: https://marc.info/?l=kde-devel&m=105956174318139
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============84186400769308634=="


--===============84186400769308634==
Content-Type: multipart/signed;
  protocol="application/pgp-signature";
  micalg=pgp-sha1;
  boundary="Boundary-02=_wB6J/YUMhxJ6PaL";
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit


--Boundary-02=_wB6J/YUMhxJ6PaL
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

David Berner wrote:
>But still KDE should not support this kind of attack. It should not let
>the root of a local machine decide to log in a NIS user without password
>(and eventually tell the NIS about a successful login that never happended=
).

So you're asking us to detect that the system was configured for NIS and dr=
op=20
all support for NIS? Besides, if a user has root on a system, he can do=20
anything. It's not KDE that's going to block it.

It's not an attack. It's how NIS works. In NIS authentication, it's the cli=
ent=20
that authenticates, not the server. The server just provides the encrypted=
=20
password to authenticate against. That happens because there's no such thin=
g=20
as a "network UID", so any root-privileged process on the client can simply=
=20
setuid() to any UID. There's no authentication in that.

Anyways, as said before, the problem is on the server, not on the client. I=
f=20
you run a NIS/NFS network, the admin must make sure that he's the only one =
to=20
have root on _all_ workstations. As for the CD-ROM problem, it's easy: put =
a=20
password on the BIOS setup and don't allow the bootmanager to select anothe=
r=20
configuration than the default one.

Again, it's the network that is not configured properly. Not KDE.

=2D-=20
  Thiago Macieira  -  Registered Linux user #65028
   thiagom@mail.com          =20
    ICQ UIN: 1967141   PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

--Boundary-02=_wB6J/YUMhxJ6PaL
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/J6BwM/XwBW70U1gRAo/iAKDC9tJRjV9//PtONby4+A2TVHDP3QCfRBI4
PQMjBmzFQwV8YsxvKGdIDoU=
=0PLD
-----END PGP SIGNATURE-----

--Boundary-02=_wB6J/YUMhxJ6PaL--

--===============84186400769308634==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

--===============84186400769308634==--