Vulnerability Development mailing list archives
Hesiod security
From: KF <dotslash () snosoft com>
Date: Thu, 06 Jun 2002 00:51:55 -0400
does anyone know about spoofing hesiod requests or replys or anything of that nature?
Hesiod is supposed to only deal with non security sensitive data. Your user ID shell and home directory are determined by Hesiod... I would say at LEAST your uid should be concerned security sensitive. If you could spoof a reply for uid 0 I think you could take advantage of this.
I could be simply ignorant to the use of Hesiod ... Definition of Hesiod:Hesiod, developed by MIT Project Athena, is an information service built upon BIND. Its intent is similar to that of Sun's NIS: to furnish information about users, groups, network-accessible file systems, printcaps, and mail service throughout an installation. Aside from its use of BIND rather than separate server code another important difference between Hesiod and NIS is that Hesiod is not intended to deal with passwords and authentication, but only with data that are not security sensitive. Hesiod servers can be implemented by adding resource records to BIND servers; or they can be implemented as separate servers separately administered.
-KF
Current thread:
- Hesiod security KF (Jun 06)
- Re: Hesiod security KF (Jun 06)
- Re: Hesiod security Matt Power (Jun 06)
- Re: Hesiod security KF (Jun 07)
- Re: Hesiod security Matt Power (Jun 06)
- Re: Hesiod security KF (Jun 06)