Oh, pardon me. That really is safe then. NOT! If I can plug into your ethernet, I can have your NIS maps. If you "don't allow access" you must be doing it by hostname/IP. Easy, I can just steal the IP I want, unplugging the real machine if necessary. This is silly anyway because I can easily sniff the traffic, which goes around unencrypted, with my laptop anyway. I'm sorry but I'm right and you're wrong: NIS is not secure. If you believe it's secure and feel good using it in your environment you may be right and I might completely agree with you, **in that specific case**. The real danger here is that someone decides that they don't need to worry so much because they're using shadow passwords, not realizing that anyone who can hook a machine into the local net can have access. Don't go telling people something's secure when its not.
Now listen, I do exactly what you describe. I use (on an internal network) plain old NIS maps to distribute passwd/shadow info to a Linux box which uses shadow passwords. I'm not saying it can't be done. I'm not say it shouldn't be done. I'm saying that when you advise someone about a practice which involves system security you have a duty to make full disclosure about the inherent risks (which exist in *any* system). It pisses me off when people think they know it all and take a cavalier attitude going around telling people "what's what" in a tone and manner which suggest they are authoritative on the matter. You obviously are very confident with your expertise and technical knowledge. Just remember it's when you think you've got every angle that your going to make the mistake. Gergely Madarasz wrote: > On Thu, 19 Feb 1998, Jens B. Jorgensen wrote: > > > This is true. However note how you said "if the request for the map comes > > from a > > non-root user". How do you supposed the NIS server determines that you're > > "not a > > root user"? I'll tell you: ident. I can whip up an ident server on my NT > > box in two > > minutes that'll tell you I'm any user I want. This is not security. > > Wrong. It determines that you're no root user by port. If the request > comes from a port lower than 1024 then it is root. And don't give nis > access to hosts which can be booted into an unsafe OS like NT. -- Jens B. Jorgensen [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
