[Bug libc/11134] getpwnam shows shadow passwords of NIS users

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "drepper at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug libc/11134] getpwnam shows shadow passwords of NIS users
Date: Tue, 06 Apr 2010 22:53:00 -0000	[thread overview]
Message-ID: <20100406225330.17516.qmail@sourceware.org> (raw)
In-Reply-To: <20100105092632.11134.Christoph.Pleger@cs.tu-dortmund.de>

------- Additional Comments From drepper at redhat dot com  2010-04-06 22:53 -------
I'm not so sure about either change.

The server can regulate which process can read the passwd.adjunct database using
the source port number.  A value < 1024 would indicate privileges.  If an
attacker can illegally bind a socket to a low port security is already
compromised.  The code in libc will ignore the error from being denied access
and will use the original entry from /etc/passwd as-is.

That's how it is meant to be used.  In this model processes with privileges can
get to the information.  Especially because I don't think imitating the shadow
file using the passwd.adjunct content is going to work.

You say there are two fields missing in passwd.adjunct.  In theory perhaps true
but I have not found anywhere any indication that usually the file contains any
information except the first two fields.  That's not really the correct content
for the file.  It means no password aging etc happens.

Changing the implementation along your patch sounds arbitrary.  The current
behavior re filling in the password might be used by some people.  There is no
way in Sun's implementation to enable behavior like this?  There is no setting
in Sun's ypserv to restrict access based on ports?  I cannot change it without a
good reason.

The bigger problem is the synthetic shadow file.  I don't like this at all.  If
you want a shadow file, why don't you export one from the server?  I realize
that if you say you don't want a shadow file and restricted access to passwd and
the server doesn't have port-based access control that you then want these
changes.  But these are lots of ifs.

The current libc implementation works perfectly if you use the model I
described.  You get a full passwd file for privileged users and a version
without the password for non-privileged users.  This is a sensible model and
your patch would cause it to stop working.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

http://sourceware.org/bugzilla/show_bug.cgi?id=11134

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

next prev parent reply	other threads:[~2010-04-06 22:53 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-05  9:26 [Bug libc/11134] New: " Christoph dot Pleger at cs dot tu-dortmund dot de
2010-01-05  9:28 ` [Bug libc/11134] " Christoph dot Pleger at cs dot tu-dortmund dot de
2010-01-06  7:59 ` Christoph dot Pleger at cs dot tu-dortmund dot de
2010-02-17 13:15 ` Christoph dot Pleger at cs dot tu-dortmund dot de
2010-02-17 13:18 ` Christoph dot Pleger at cs dot tu-dortmund dot de
2010-04-05 20:20 ` drepper at redhat dot com
2010-04-05 20:20 ` drepper at redhat dot com
2010-04-06 22:53 ` drepper at redhat dot com [this message]
2010-04-07 14:41 ` drepper at redhat dot com
     [not found] <bug-11134-131@http.sourceware.org/bugzilla/>
2014-02-16 19:35 ` jackie.rosen at hushmail dot com
2014-05-28 19:44 ` schwab at sourceware dot org
2014-06-30 20:29 ` fweimer at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100406225330.17516.qmail@sourceware.org \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).