[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: security issue KDM
From: Thiago Macieira <thiagom () wanadoo ! fr>
Date: 2003-07-30 10:39:38
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
David Berner wrote:
>But still KDE should not support this kind of attack. It should not let
>the root of a local machine decide to log in a NIS user without password
>(and eventually tell the NIS about a successful login that never happended).
So you're asking us to detect that the system was configured for NIS and drop
all support for NIS? Besides, if a user has root on a system, he can do
anything. It's not KDE that's going to block it.
It's not an attack. It's how NIS works. In NIS authentication, it's the client
that authenticates, not the server. The server just provides the encrypted
password to authenticate against. That happens because there's no such thing
as a "network UID", so any root-privileged process on the client can simply
setuid() to any UID. There's no authentication in that.
Anyways, as said before, the problem is on the server, not on the client. If
you run a NIS/NFS network, the admin must make sure that he's the only one to
have root on _all_ workstations. As for the CD-ROM problem, it's easy: put a
password on the BIOS setup and don't allow the bootmanager to select another
configuration than the default one.
Again, it's the network that is not configured properly. Not KDE.
--
Thiago Macieira - Registered Linux user #65028
thiagom@mail.com
ICQ UIN: 1967141 PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
[Attachment #5 (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic