Bug 44805 - shadow + MINUID option broken
shadow + MINUID option broken
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ypserv (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-17 04:47 EDT by Gerald Teschl
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-06 15:21:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gerald Teschl 2001-06-17 04:47:13 EDT
If you use nis together with shadow (default in redhat) and
MINUID=500,MINGID=500
the encrypted root password will be distributed via nis!!!!!!!!!

[root@keen yp]# ypcat shadow.byname |grep root
root:$1$<snip>:11312:0:99999:7:::
[root@keen yp]# ypcat passwd.byname |grep root
[root@keen yp]#
Comment 1 Florian La Roche 2001-07-06 03:54:33 EDT
/var/yp/Makefile should not build a shadow map by default in Red Hat Linux.
It also doesn;t make sense to distribute an extra shadow map for more
security. You should use kerberos together with yp for this.
Comment 2 Gerald Teschl 2001-07-06 07:42:30 EDT
It does make sense since with a shadow map ordinary users will not be able to
see the
encrypted password!
Comment 3 Gerald Teschl 2001-07-06 15:21:10 EDT
The following change to /var/yp/Makefile will fix the problem:

--- Makefile.orig       Fri Jul  6 21:09:04 2001
+++ Makefile    Fri Jul  6 21:14:04 2001
@@ -300,7 +300,7 @@
 shadow.byname: $(SHADOW) $(YPDIR)/Makefile
        @echo "Updating $@..."
        @$(UMASK); \
-       $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" ) print $$1"\t"$$0 }' \
+       $(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && system("test ` id -u "$$1"` -lt
$(MINUID)")) print $$1"\t"$$0 }' \
                $(SHADOW) | $(DBLOAD) -s -i $(SHADOW) -o $(YPMAPDIR)/$@ - $@
        -@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
 endif
Comment 4 Florian La Roche 2001-07-24 06:09:00 EDT
Please look at 1.3.12-1 on rawhide shortly.

Florian La Roche

Note You need to log in before you can comment on or make changes to this bug.