On Tue, 22 Dec 2009 23:00:55 -0000
Kees Cook <email address hidden> wrote:
> Hello! Thanks for the report and the patch. One thing I'm curious
> about; isn't it possible for a local user to just use "ypcat
> passwd.adjunct.byname" to see the encrypted passwords?
No, only the root user can look at passwd.adjunct.byname. When a normal
user calls "ypcat passwd.adjunct.byname", the following error message
is shown:
No such map passwd.adjunct.byname. Reason: No such map in server's
domain
> Regardless, I
> would be curious to see if upstream glibc would be willing to use your
> patch. Have you opened a bug with glibc?
> http://sourceware.org/bugzilla/
No, not yet, I thought that Debian or Ubuntu would send the patch
upstream. Do you think that I should do that?
>
> Also, IIUC, this is not a "private" security issue, in that NIS
> leaking encrypted passwords is a fairly well understood limitation.
> Should this bug be made public to get more people looking at it?
I also reported the bug to Debian, so the security violation is
already public. So, it's no problem to make it public in Ubuntu, too.
Hello,
On Tue, 22 Dec 2009 23:00:55 -0000
Kees Cook <email address hidden> wrote:
> Hello! Thanks for the report and the patch. One thing I'm curious adjunct. byname" to see the encrypted passwords?
> about; isn't it possible for a local user to just use "ypcat
> passwd.
No, only the root user can look at passwd. adjunct. byname. When a normal adjunct. byname" , the following error message
user calls "ypcat passwd.
is shown:
No such map passwd. adjunct. byname. Reason: No such map in server's
domain
> Regardless, I sourceware. org/bugzilla/
> would be curious to see if upstream glibc would be willing to use your
> patch. Have you opened a bug with glibc?
> http://
No, not yet, I thought that Debian or Ubuntu would send the patch
upstream. Do you think that I should do that?
>
> Also, IIUC, this is not a "private" security issue, in that NIS
> leaking encrypted passwords is a fairly well understood limitation.
> Should this bug be made public to get more people looking at it?
I also reported the bug to Debian, so the security violation is
already public. So, it's no problem to make it public in Ubuntu, too.
Regards
Christoph