[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Filter to AND with uid=%s

On Fri, 6 Oct 2000, Nalin Dahyabhai wrote:

> On Fri, Oct 06, 2000 at 01:32:26PM -0500, Steve Langasek wrote:
> > It's somewhat worrying that nss_ldap is returning the user's password as part
> > of the passwd struct.  This suggests to me that there is at least a possible
> > insecurity with nss_ldap: what happens if a non-privileged user calls
> > getpwnam() for some other user's account (or root's!) that's stored in LDAP?
> > Perhaps the authors of nss_ldap had a reason for allowing the password to be
> > returned, but I can't imagine what that would be.

> Hiding the information when it's in LDAP so that nss_ldap doesn't see it
> all by default requires configuring access controls which aren't there
> by default.  There's a good paper about doing this on HP-UX at
> 'http://docs.hp.com/hpux/onlinedocs/internet/ldap_integration.pdf'. (Even
> though it's an HP-UX paper, the parts which cover the server-side issues
> are applicable to just about any directory.)

That's certainly true.  However, what should nss_ldap's behavior be if the
LDAP server has *not* been properly secured?  In some cases, nss_ldap could
make it easier for someone to gain access to these passwords.  OTOH, anyone 
who could get at the passwords using nss_ldap could probably also get at them
without using it, and the fact that nss_ldap doesn't hide anything may be
useful in debugging... with the side effect that it doesn't give the expected
behavior with pam_unix. <shrug>

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []