Security Basics mailing list archives
Re: Netinfo Manager
From: Jos Kirps|EducDesign <jos.kirps () educdesign lu>
Date: Wed, 24 Sep 2003 12:48:29 +0200
some more thoughts about the netinfo problem here: you don't even need a terminal and the nidump command to read all encrypted passwords, you can also do this using the 'netinfo manager'app which is part of any osx installation (probably the netinfo mngr uses
nidump to get the information). if the root account has been enabled (which can also be done using the netinfo manager), everyone will be able to read the encrypted root password (as everyone can accessthe netinfo manager by default as far as i remember). maybe it would be a
solution if nobody except the administrator of the machine can access terminals and the netinfo manager app. yours sincerefully jos kirps On Wednesday, September 24, 2003, at 01:43 AM, Dave Botsch wrote:
Actually, on the OS X Labs Security webcast a while back, Apple promised that this would indeed be fixed in Panther. I have not seen a preview release to seeif they did indeed fix it. On Tue, Sep 23, 2003 at 10:38:25PM +0200, Jos Kirps|EducDesign wrote:the netinfo service is kind of a database that stores information you would usually find in /etc/passwd, /etc/group and /etc/shadow files, as well as many other system info. you're right, using nidump you can display all encrypted passwords, including root, and yes, this is definately a security problem (imho). unfortunately this isnot considered as a 'security flaw' by apple, it's just the way netinfohandles stuff. i don't think this will be changed in macos x 10.3 / panther. your sincerefully jos kirps On Tuesday, September 23, 2003, at 06:38 PM, Matteo wrote:Hi, I'm using Mac OS 10.2.8 Server and today I was quite surprised to see that a normal user on my server can obtain the encrypted passwords of all the user just using the command "nidump password .": bash-2.05a$ nidump passwd . nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null root:*EncryptedPass:0:0::0:0:System Administrator:/var/root:/bin/tcsh ... Isn't this a security flaw? Is Apple going to fix it in the next release of Mac OS X (Panther)? Now, how to prevent users to see the passwords of the other users? Thanks--------------------------------------------------------------------- --------------------------------------------------------------------------- ------------------------------------------------------------ EducDesign S.A. Where Learning and Technology meet 20, rue de l'Ecole, L-3233 Bettembourg Luxembourg (Europe) tel. +352 51 66 52 fax. +352 52 26 76 ----------------------------------------------------- http://www.educdesign.lu info () educdesign lu ----------------------------------------------------- IT-Services Intranet-Internet Solutions & Multimedia Innovation Managment & Project Development Consulting, Training & Coaching in IT and Education --------------------------------------------------------------------------------------------------------------------------- ----- ---------------------------------------------------------------------- -------- ******************************** David William Botsch dwb7 () cornell edu ********************************
----------------------------------------------------- EducDesign S.A. Where Learning and Technology meet 20, rue de l'Ecole, L-3233 Bettembourg Luxembourg (Europe) tel. +352 51 66 52 fax. +352 52 26 76 ----------------------------------------------------- http://www.educdesign.lu info () educdesign lu ----------------------------------------------------- IT-Services Intranet-Internet Solutions & Multimedia Innovation Managment & Project Development Consulting, Training & Coaching in IT and Education ----------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Netinfo Manager Matteo (Sep 23)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 23)
- Re: Netinfo Manager Dave Botsch (Sep 24)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 24)
- Re: Netinfo Manager Dave Botsch (Sep 24)
- Re: Netinfo Manager Gene Cronk (Sep 23)
- Re: Netinfo Manager Ansgar -59cobalt- Wiechers (Sep 23)
- <Possible follow-ups>
- Re: Netinfo Manager Matt Burnett (Sep 25)
- Re: Netinfo Manager Jos Kirps|EducDesign (Sep 23)