On Sat, Jul 06, 2002 at 06:14:20PM -0400, Fraser Campbell wrote: > On Thu, 2002-07-04 at 22:57, Russell Coker wrote: > > > Delegating administrative access to one tree of an LDAP directory is > > easy. Preventing it from being used maliciously is another issue. > > A hostile user could create a new LDAP entry with a UID of 0... > > But if you configure files lookups before db lookups the uid 0 entry in > LDAP or SQL would never be used right? Snippet from /etc/nsswitch.conf: > passwd: files mysql > shadow: files mysql > group: files mysql
nope. any account with uid=0 is root. you can have multiple uid=0 accounts in /etc/passwd or in mysql or anywhere else the system is configured to get auth info from. some ideas: 1. use a decent database like postgres rather than a toy like mysql and set a trigger to prevent creation of records in your accounts table where the uid field equals 0. i.e. the database server should reject any such attempt itself, not rely on the client app to do the right thing. 2. use PAM rather than nsswitch modules - that way you can configure which services will get acct info from the database. e.g. your MTA, local delivery agent, pop & imap daemons but NOT login, ssh, telnet, ftp, or anything else. nsswitch is easier and works with anything that uses standard libc calls like getpwent() etc. PAM is far more flexible, but more work to configure properly. also, it only works with stuff compiled to use it (in debian, that means basically everything. on other distributions....who knows?). craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
