flur@duke.gatech.edu (Peter W. Flur) (04/03/90)
I have seen this somewhere before, but I want to re-post it for those
that have not seen it.
There is a bug in the NetInfo system that allows anyone to get root
priveledges easily if you are running yellow pages. If you put an
entry in the password file as +:::::, there will be a user called "+"
that has uid 0, or root, without a password. Try it. It is true.
However, there is one solution I have found that works. In the password
file, place two entries, +:::::, first, to read the yellow pages, and
a second entry, +:*::::, to remove the accessibility to the + account.
After niloading the password file, the second + account overrides the
first for passwords. There is a problem with this as well. If you then
nidump the password file, only the +:*:::: entry will appear. So if
you dump it and then re-load it, the yellow pages will not be read.
Users only in the yellow pages will then have no account on the machine.
Be sure to always add the first +::::: account back in.
If there are any other work-arounds, I'd love to hear about them.
Peter
----------------------------Peter Flur----------------------------
USMAIL: Box 32500
Georgia Tech, School of Electrical Engineering, Atlanta, GA 30332
USENET: ...!{allegra,hplabs,ihnp4,ulysses}!gatech!duke!flur
INTERNET: flur@duke.gatech.edu, gt2500a@prism.gatech.edu
PHONE: (404) 853-9355