From proff Wed May 22 17:17:35 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id RAA30895 for best-of-security; Wed, 22 May 1996 17:17:35 +1000 Received: from latcs1.cs.latrobe.edu.au (latcs1.cs.latrobe.EDU.AU [131.172.42.21]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id NAA23336 for ; Wed, 22 May 1996 13:56:22 +1000 Received: by latcs1.cs.latrobe.edu.au (8.7.4/1.34) id NAA06446; Wed, 22 May 1996 13:54:48 +1000 (AEST) Date: Wed, 22 May 1996 13:54:48 +1000 (AEST) From: jonesr@latcs1.cs.latrobe.edu.au (Richard Jones) Message-Id: <199605220354.NAA06446@latcs1.cs.latrobe.edu.au> To: proff@suburbia.net Subject: casper linux bashing? Sender: proff >Path: lion.cs.latrobe.edu.au!lugb.latrobe.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!news.kei.com!newsfeed.internetmci.com!howland.reston.ans.net!EU.net!sun4nl!fwi.uva.nl!not-for-mail >From: casper@fwi.uva.nl (Casper H.S. Dik) >Newsgroups: comp.security.unix >Subject: Re: Ohh, the old plus colon colon trick again. >Date: 19 May 1996 15:47:33 +0200 >Organization: Sun Microsystems, Netherlands >Lines: 72 >Distribution: world >Message-ID: <4nn8pl$kni@mail.fwi.uva.nl> >References: <4nc4f8$8ge@vampire.xinit.se> >NNTP-Posting-Host: mail.fwi.uva.nl acspring@earthlink.net (Andrew Spring) writes: >In article <4nc4f8$8ge@vampire.xinit.se>, jor@xinit.se (Joakim Rastberg) wrote: >>Or... you could read the man(4) for passwd, in particular the section >>where it describes the use of a "+" in a nis/yp environment. >> >Or you could read _Practical Unix Security_ by Garfinkel and Spafford, >O'Reilly and Associates, page 257 : Except that practical Unix Security is *wrong*. > "If you use NIS, be very careful that the plus sign is in the /etc/passwd > file of your Clients, and not your Servers. On a NIS server, there is > nothing special about the plus sign, and it's interpreted as a user name. > Be sure the the following line is *not* in the /etc/passwd file of your > server (or any other machine): > +::0:0::: _Wrong_ This is the *only* entry that will work right on Sun's implementation of NIS (SunOS 4 , or SunOS 5 with "compat" in nsswitch.conf). That's about as cannonical as it gets. > If the above line is in your /etc/passwd file, it will allow anybody to > log into your server by typing a plus sign (+) at the login: prompt. You > can minimize this danger by always including a password field for the > "plus" user. Specify the plus sign line in the form: Only on systems that are broken (though I must admit that if you don't use "compat" in Solaris 2.x, you may get in as "nobody"; I'll see if I can get them to fix that). It's better not to have any + entries in /etc/passwd if you don't run NIS. > +:*:0:0::: _On NIS clients only_ On Sun's "reference" implementation, this will make it impossible for any user to login; the non-uid/gid entries in the NIS entries take precedence over the values from the NIS map, that is useful for having uid->name mappings without allowing user logins. > Otherwise, if the NIS server fails, some implementations will allow you to > log in as root simply by using "+" as the user name. Unfortunately, it will totally disallow logins in Sun's implementation. Any implementation that doesn't "fail-safe" is broken, IMHO. >Thanks for being so condescending. It irritated me enough to dig through >the back of my closet for the book, which I what I should have done in the >first place. I hope I've made clear why I think that the book is wrong; I hop eit was changed in the latest release, I don't need to spend more time helping people telling me that they've read "Practical Unix Security" but now can no longer log in. (It's still a book I recommend, but even the best books have errors) It's interesting to see how Linux reimplemented this bug, long after the book appeared. Casper -- Casper Dik - Sun Microsystems - via my guest account at the University of Amsterdam. My work e-mail address is: Casper.Dik@Holland.Sun.COM Statements on Sun products included here are not gospel and may be fiction rather than truth.