scs@lokkur.uucp (Steve Simmons) (01/19/89)
Douglas M. Bates writes: >Bernard Silver writes: >> A (hopefully) harmless intrusion brought to our notice the default >> /etc/hosts.equiv in 3.5 and 4.0 The default consists of a single "+", >> which in this context means ALL known hosts are trusted. > >This can be a bad security hole in some configurations. Try "in all configurations where you attach to machines you don't control". Fortunately there is something you can do about it. Take the following with a grain of salt as it's all from memory (ie, go RTFM). However: YP has a db called netgroups. It allows you to define arbitrary collections of users, machines, and domains (domain in this case means YP domain, not Internet domain). You define a name followed by a list of triplets of user, host, domain. Leaving one of the three blank means "none", putting in a star means "any" (again, RTFM on this, OK?). So you could define a list of all the machines in your domain by (trusted_hosts) (*,host1,my_domain) (*,host2,my_domain) . . . Now put whatever hosts you want into the YP hosts db, but don't put them into trusted_hosts unless they're really in your domain. Now change your hosts.equiv files from '+' to '+@trusted_hosts'. Voila! You've locked out other machines from rlogin, rcp, rsh, etc. You can use the same technique for password files and login management. We created a 'staff' group like staff (scs,*,my_domain) (wnl,*,my_domain) . . . We also created a 'everybody' group. On machines we wanted only staff people on, the bottom of the password file looked like: +@staff -@everybody +:: (std yp passwd end) Worked fine. Warning! Experiment very carefully before installing a lot of this stuff. Also, it can add to your YP overhead. Steve Simmons, Inland Sea Software, Ltd. scs@lokkur.dexter.mi.us 9353 Hidden Lake, Dexter, MI. 48130 313-426-8981
moran@warbucks.ai.sri.com (Doug Moran) (01/26/89)
scs@lokkur.uucp (Steve Simmons): >YP has a db called netgroups. It allows you to define arbitrary >collections of users, machines, and domains (domain in this case means YP >domain, not Internet domain). You define a name followed by a list of >triplets of user, host, domain.... Minor notes: under 3.x (presumably also in 4.0), the order to the triplets is "(host,user,domain)", not "(user,host,domain)". Under 3.x, the "any" character is null (the reverse of the above stmt). Thus, in 3.x the above example "(*,host1,domain)" should have been "(host1,,domain)". Various usages of netgroups ignore certain fields, eg hosts.equiv ignores the user field, so the triplet "(host1,*,domain)" would have the same effect as "(host1,foo,domain)" and "(host1,,domain)". WARNING: A system administrator reading the netgroup(5) manual page would be inclined to believe that the triplet "(,,mydomain)" defines a groups of all the hosts in YP domain "mydomain". However, uses of netgroup in /etc/exports and /etc/hosts.equiv (and elsewhere?) ignore the domain field so that this triple is equivalent to "(,,)", ie universal permission. (Aside: even if this field was not ignored, defining a netgroup simply using your domain is not a good idea because domain names tend to be easy to guess and are trivial to spoof). The probable reason that the YP domain name is not used is that is not part of the information sent by the remote host to the server (e.g., in the rlogin preamble or in the authunix_param field of an nfsmount request). Since using this field would require the server to derive the client's domain name (even if that were possible in all cases), it would add little or nothing to the verification process. An early reference to this problem, with a somewhat different diagnosis, can be found in a message from Matt Landau (mlandau@diamond.bbn.com) in Sun-Spots v5n5 (20 March 87). Douglas B. Moran AI Center, SRI International moran@ai.sri.com