NIS: Permissions In /var/nis

NIS: Permissions In /var/nis

Post by James Seymo » Wed, 11 Oct 1995 04:00:00



[Second posting.  The first went...???]

Taking a look at the permissions in /var/nis/..., things
look awfully wide-open.  So I'm wondering: what should
the permissions and ownerships be?

Thanks,
Jim
--
Jim Seymour                         | Medar, Inc.
Systems & Network Administrator     | 38700 Grand River Ave.
...uunet!medar!jseymour             | Farmington Hills, MI. 48335-1563

 
 
 

NIS: Permissions In /var/nis

Post by Casper H.S. Dik - Network Security Engine » Wed, 18 Oct 1995 04:00:00



>It's true, I've also noticed it.

Suimply chmod 700 /var/nis/`uname -n`.

It's bad the same mistakes made with NIS are made again with NIS+.

It should also tell you that it is *very* important not to
run your daemons with a umask of 0.

The solaris FAQ says:

3.47) How can I set a decent default umask for ftpd?

    By default, all daemons inherit the umask 0 from init.
    To get daemons to use another umask execute the following
    commands in /bin/sh and reboot:

    echo "umask 022" > /etc/init.d/umask.sh
    for d in /etc/rc?.d
    do
        ln /etc/init.d/umask.sh $d/S00umask.sh
    done

    Note: the trailing ".sh" of the scriptname is important, if
    you don't specify it, the script will will be executed in a
    sub-shell, not in the main shell that executes all other scripts.

    --- end of excerpt from the FAQ

Questions marked with a * or + have been changed or added since
the FAQ was last posted

The most recently posted version of the FAQ is available from
ftp.fwi.uva.nl in directory /pub/solaris

 
 
 

NIS: Permissions In /var/nis

Post by Frank Wey » Wed, 18 Oct 1995 04:00:00




>: [Second posting.  The first went...???]

>: Taking a look at the permissions in /var/nis/..., things
>: look awfully wide-open.  So I'm wondering: what should
>: the permissions and ownerships be?

>It's true, I've also noticed it.

>Possible hack into system:



Excuse me, but ...... on my system you can't copy or edit the passwd.org_dir
if you are not root.

--------

total 2144
drwxrwxrwx   3 root     sys          512 Oct 17 13:11 ./
drwxr-sr-x  22 bin      staff        512 Sep 28 13:30 ../
-rw-r--r--   1 root     root         544 Oct 17 07:20 NIS_COLD_START
-rw-r--r--   1 root     other       8192 Oct 17 12:55 NIS_SHARED_DIRCACHE
drwxr--r--   2 root     other       1024 Oct  2 13:05 genesis/
-rw-r--r--   1 root     other       3580 Aug 14 13:10 genesis.dict
-rw-------   1 root     other    1114113 Oct 17 07:20 genesis.log

--------

So how do you hack it ?? I can't !

If there is a possebility to create a passwd.org_dir file which is accepted by
the nisplus-server than there is a hole !! (description somewhere ???)

Greetings
Frank Weyns
--

                \=/,         _-===-_-====-_-===-_-==========-_-====-_

      /\  /\   / (___,,,}_--=                                          )
     ) /^\) ^\/ _)        =__ You've just been mailed by Frank Weyns.   )

     )   _ /  / _)            (   private => volhardingstraat 91/620      )
 /\  )/\/ ||  | )_)            (_             2020 Antwerpen - Belgium   )
<  >      |(,,) )__)             (             XX-32-3-238.59.94        )
 ||      /    \)___)\             (_  "I'll cool Your System !!!"    __)
 | \____(      )___) )___           -==-_____-=====-_____-=====-___==
  \______(_______;;; __;;;
--------------------------------------------------------------------------
Disclaimer: the above posting does not reflect the opinion of my employer.
"Organization:" line is given for identification purposes.
--------------------------------------------------------------------------
Like a Modern Knight : Places to See, Women to Do, Computers to Slay !!!!!

 
 
 

NIS: Permissions In /var/nis

Post by Rob McMah » Wed, 18 Oct 1995 04:00:00



(Casper H.S. Dik - Network Security Engineer) writes:

Quote:> >It's true, I've also noticed it.

> Suimply chmod 700 /var/nis/`uname -n`.

> It's bad the same mistakes made with NIS are made again with NIS+.

While we're about it, what's /etc (and /usr/*) still doing group writable, and
how do you stop every patch you install from putting it back that way when you
fix it to something more sensible ...

Rob
--
UUCP:   ...!mcsun!uknet!warwick!cudcv   PHONE:  +44 1203 523037

Rob McMahon, Computing Services, Warwick University, Coventry CV4 7AL, England

 
 
 

NIS: Permissions In /var/nis

Post by Casper H.S. Dik - Network Security Engine » Wed, 18 Oct 1995 04:00:00



>While we're about it, what's /etc (and /usr/*) still doing group writable, and
>how do you stop every patch you install from putting it back that way when you
>fix it to something more sensible ...

Uhm, err.  Yes, I agree that that is a problem, and yes, there's no
way to keep patchinstall from making the modes sensible.

In my previous life I wrote a pogram called "fix-modes" which
fixes the modes (see ftp.fwi.uva.nl:/pub/solaris/auto-install/*)
but it did require rerunning after each patch installation.

Casper

 
 
 

NIS: Permissions In /var/nis

Post by Hendrik Visa » Thu, 19 Oct 1995 04:00:00




: >: [Second posting.  The first went...???]
: >
: >: Taking a look at the permissions in /var/nis/..., things
: >: look awfully wide-open.  So I'm wondering: what should
: >: the permissions and ownerships be?
: >
: >It's true, I've also noticed it.
: >
: >Possible hack into system:
: >

: >

: Excuse me, but ...... on my system you can't copy or edit the passwd.org_dir
: if you are not root.

: --------

: total 2144
: drwxrwxrwx   3 root     sys          512 Oct 17 13:11 ./
: drwxr-sr-x  22 bin      staff        512 Sep 28 13:30 ../
: -rw-r--r--   1 root     root         544 Oct 17 07:20 NIS_COLD_START
: -rw-r--r--   1 root     other       8192 Oct 17 12:55 NIS_SHARED_DIRCACHE
: drwxr--r--   2 root     other       1024 Oct  2 13:05 genesis/
: -rw-r--r--   1 root     other       3580 Aug 14 13:10 genesis.dict
: -rw-------   1 root     other    1114113 Oct 17 07:20 genesis.log

This is correct permissions, but (I think it was 2.3) I could change the
permissions of server/ (This case genesis/) to something like 700, or 755, or 744
, and after a while, (Or reboot) it would changed (itself ??) back to 777!!

That's the hole!!!!

It looks like it has been corrected or patched since I last installed a NIS+
setup ;^)

Sorry if I put someone on a wild-goose chase, but with the 777 permisions, it
would be possible....

------
Groetend / Sincerely Yours

Hendrik Visage
#include <Standard/Disclaimer>
Vector Customer Support
+27 11 315 4330

 
 
 

1. How to downsize /var/nis/hostname.log file using NIS+?

Does anyone have a way to downsize /var/nis/hostname.log file?  This
file is the NIS+ transaction log that is displayed when using "nislog".
This log file keeps getting bigger.

Thanks.

Suzanna

---

--------------------------------+---------------------------
Suzanna M. Vasquez              |  Unix System Administrator
Computer Sciences Corporation   |  Brooks AFB

2. Alternate aliasing (.mailrc) file ?

3. Would NIS+ master work with NIS+ & NIS Slave?????????

4. Printing on HP DJ 695C

5. NIS : auth problem with Linux nis server and SUN sparc nis client

6. XFree86Config for Toshiba T1950CT

7. NIS+ : Can an HP be a NIS client to a Sun NIS+ server

8. Need help setting up internal modem - port conflicts

9. NIS to NIS+: any how to papers

10. NIS+ Compatibility Mode (NIS Client - calendar problem)?

11. Help, NIS+ Server, NIS Client

12. Solaris NIS server and Linux NIS client : problems

13. NIS+ encryption? NIS+ expert needed