Re: [seul-edu] Alternatives to NIS

[Harry McGregor <micros@azstarnet.com>]

On Mon, 23 Oct 2000, David Woodhouse wrote:

> hedemark@bops.com said:
> >  MAJOR security hole - anyone with any UNIX machine that has root
> > access to that machine can become any NIS user without the need for a
> > password.  This is one of the many reasons that I hate NIS.
> 
> Could you be more specific? Anyone with any UNIX machine that has root 
> access to that machine can become _any_ user, period. 
> 
> Being able to become any user on the machine you've already cracked is 
> normal. Being able to access any of that user's files on the NFS server is 
> also normal - but that's an NFS problem, not NIS.

Right, but bringing your laptop onto the network, setting your ipaddress
to one the nis server will recongnise, and then setup your passwd file to
ask NIS for names, you can then mount the nfs export, su to the user, and
see the files.  NIS brings this from a matter of software security, to
physical security.  If you know that someone will not be able to bring a
system onto your network, and have root access to said system, you are
fine.  We are only using NIS in an elementary school, we initend to try
and get LDAP to a point we are comfortable with so that we don't have to
consider NIS for a high school...

			Harry

> -- > dwmw2
> 
> 

--
Harry McGregor, CEO, Co-Founder
hmcgregor@osef.org, (520) 202-OSEF (6733)
Open Source Education Foundation, http://www.osef.org