Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netinfo Manager

From: Jos Kirps|EducDesign <jos.kirps () educdesign lu>
Date: Wed, 24 Sep 2003 12:48:29 +0200
some more thoughts about the netinfo problem here:

you don't even need a terminal and the nidump command to read all
encrypted passwords, you can also do this using the 'netinfo manager'
app which is part of any osx installation (probably the netinfo mngr uses 
nidump to get the information). if the root account has been enabled
(which can also be done using the netinfo manager), everyone will
be able to read the encrypted root password (as everyone can access
the netinfo manager by default as far as i remember). maybe it would be a 
solution if nobody except the administrator of the machine can access
terminals and the netinfo manager app.

yours sincerefully
jos kirps

On Wednesday, September 24, 2003, at 01:43 AM, Dave Botsch wrote:
Actually, on the OS X Labs Security webcast a while back, Apple promised that this would indeed be fixed in Panther. I have not seen a preview release to see 
if they did indeed fix it.

On Tue, Sep 23, 2003 at 10:38:25PM +0200, Jos Kirps|EducDesign wrote:

the netinfo service is kind of a database that stores information you
would
usually find in /etc/passwd, /etc/group and /etc/shadow files, as well
as
many other system info.

you're right, using nidump you can display all encrypted passwords,
including
root, and yes, this is definately a security problem (imho).
unfortunately this is
not considered as a 'security flaw' by apple, it's just the way netinfo 
handles
stuff. i don't think this will be changed in macos x 10.3 / panther.

your sincerefully
jos kirps

On Tuesday, September 23, 2003, at 06:38 PM, Matteo wrote:


Hi,

I'm using Mac OS 10.2.8 Server and today I was quite surprised to see
that a normal user on my server can obtain the encrypted passwords of
all the user just using the command "nidump password .":

bash-2.05a$ nidump passwd .
nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null
root:*EncryptedPass:0:0::0:0:System Administrator:/var/root:/bin/tcsh
...

Isn't this a security flaw? Is Apple going to fix it in the next
release of Mac OS X (Panther)? Now, how to prevent users to see the
passwords of the other users?

Thanks
--------------------------------------------------------------------- -- 
----
--------------------------------------------------------------------- -- 
-----



-----------------------------------------------------
EducDesign S.A.
Where Learning and Technology meet

20, rue de l'Ecole, L-3233 Bettembourg
Luxembourg (Europe)
tel. +352 51 66 52
fax. +352 52 26 76
-----------------------------------------------------
http://www.educdesign.lu
info () educdesign lu
-----------------------------------------------------
IT-Services
Intranet-Internet Solutions & Multimedia
Innovation Managment & Project Development
Consulting, Training & Coaching in IT and Education
-----------------------------------------------------
---------------------------------------------------------------------- ----- ---------------------------------------------------------------------- ------ 

--
********************************
David William Botsch
dwb7 () cornell edu
********************************



-----------------------------------------------------
EducDesign S.A.
Where Learning and Technology meet

20, rue de l'Ecole, L-3233 Bettembourg
Luxembourg (Europe)
tel. +352 51 66 52
fax. +352 52 26 76
-----------------------------------------------------
http://www.educdesign.lu
info () educdesign lu
-----------------------------------------------------
IT-Services
Intranet-Internet Solutions & Multimedia
Innovation Managment & Project Development
Consulting, Training & Coaching in IT and Education
-----------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: