Bug 44805 - shadow + MINUID option broken
Summary: shadow + MINUID option broken
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ypserv   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Florian La Roche
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-06-17 08:47 UTC by Gerald Teschl
Modified: 2007-04-18 16:33 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-06 19:21:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Gerald Teschl 2001-06-17 08:47:13 UTC
If you use nis together with shadow (default in redhat) and
MINUID=500,MINGID=500
the encrypted root password will be distributed via nis!!!!!!!!!

[root@keen yp]# ypcat shadow.byname |grep root
root:$1$<snip>:11312:0:99999:7:::
[root@keen yp]# ypcat passwd.byname |grep root
[root@keen yp]#

Comment 1 Florian La Roche 2001-07-06 07:54:33 UTC
/var/yp/Makefile should not build a shadow map by default in Red Hat Linux.
It also doesn;t make sense to distribute an extra shadow map for more
security. You should use kerberos together with yp for this.


Comment 2 Gerald Teschl 2001-07-06 11:42:30 UTC
It does make sense since with a shadow map ordinary users will not be able to
see the
encrypted password!

Comment 3 Gerald Teschl 2001-07-06 19:21:10 UTC
The following change to /var/yp/Makefile will fix the problem:

--- Makefile.orig       Fri Jul  6 21:09:04 2001
+++ Makefile    Fri Jul  6 21:14:04 2001
@@ -300,7 +300,7 @@
 shadow.byname: $(SHADOW) $(YPDIR)/Makefile
        @echo "Updating $@..."
        @$(UMASK); \
-       $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" ) print $$1"\t"$$0 }' \
+       $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && system("test ` id -u "$$1"` -lt
$(MINUID)")) print $$1"\t"$$0 }' \
                $(SHADOW) | $(DBLOAD) -s -i $(SHADOW) -o $(YPMAPDIR)/$@ - $@
        -@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
 endif


Comment 4 Florian La Roche 2001-07-24 10:09:00 UTC
Please look at 1.3.12-1 on rawhide shortly.

Florian La Roche



Note You need to log in before you can comment on or make changes to this bug.