This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/11134] getpwnam shows shadow passwords of NIS users

From: "drepper at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 6 Apr 2010 22:53:30 -0000
Subject: [Bug libc/11134] getpwnam shows shadow passwords of NIS users
References: <20100105092632.11134.Christoph.Pleger@cs.tu-dortmund.de>
Reply-to: sourceware-bugzilla at sourceware dot org

------- Additional Comments From drepper at redhat dot com  2010-04-06 22:53 -------
I'm not so sure about either change.

The server can regulate which process can read the passwd.adjunct database using
the source port number.  A value < 1024 would indicate privileges.  If an
attacker can illegally bind a socket to a low port security is already
compromised.  The code in libc will ignore the error from being denied access
and will use the original entry from /etc/passwd as-is.

That's how it is meant to be used.  In this model processes with privileges can
get to the information.  Especially because I don't think imitating the shadow
file using the passwd.adjunct content is going to work.

You say there are two fields missing in passwd.adjunct.  In theory perhaps true
but I have not found anywhere any indication that usually the file contains any
information except the first two fields.  That's not really the correct content
for the file.  It means no password aging etc happens.


Changing the implementation along your patch sounds arbitrary.  The current
behavior re filling in the password might be used by some people.  There is no
way in Sun's implementation to enable behavior like this?  There is no setting
in Sun's ypserv to restrict access based on ports?  I cannot change it without a
good reason.

The bigger problem is the synthetic shadow file.  I don't like this at all.  If
you want a shadow file, why don't you export one from the server?  I realize
that if you say you don't want a shadow file and restricted access to passwd and
the server doesn't have port-based access control that you then want these
changes.  But these are lots of ifs.

The current libc implementation works perfectly if you use the model I
described.  You get a full passwd file for privileged users and a version
without the password for non-privileged users.  This is a sensible model and
your patch would cause it to stop working.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=11134

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]