On Mon, 15 Jul 2013, Daniel Eischen wrote:
On Tue, 16 Jul 2013, Jan Bramkamp wrote:
On 16.07.2013 04:28, Daniel Eischen wrote:
[ ... ]
I think something is lost on me here. getpwent/getpwuid do
not return the password hashes in the returned struct passwd
unless the calling process is root. So you have to be root in
order to see the hashes anyway. Not all users are going to
have access to the hashes, unless your machine's compromised
or otherwise allows root privileges to others.
If the crypted password can be read by an LDAP client with the
information available to every process in (nss_)ldap.conf you're crypted
passwords are easily accessible for offline attacks. Their is no reason
for an attacker to go through the getpwent/getpwuid API.
The root bind password is kept in a separate file that only
root has read rights to. I don't think the password hashes
are available when binding anonymously or through the proxy
agent.
I guess I was wrong - it seems the proxy agent by default
(at least with Oracle DSEE7) has read access to the userPassword
attribute. I'll have to try adding an ACI, as suggested by
Michael Butler, to restrict that.
--
DE
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
