On Sun, 18 Aug 2013 19:35:15 +0200
Arthur de Jong wrote:
> An alternative solution would be to also return shadow information to
> non-root users but leave out the password hashes. This is what pynslcd
> in experimental currently does.
>
> I *think* that is reasonable and don't see any security
An alternative solution would be to also return shadow information to
non-root users but leave out the password hashes. This is what pynslcd
in experimental currently does.
I *think* that is reasonable and don't see any security issues from
exposing the other information from the shadow database.
On Tue, 2013-05-07 at 11:44 -0700, Andrew Ayer wrote:
> Perhaps a lightweight ACL syntax like:
>
> allow|deny MAP from user USER|group GROUP|all
[...]
That seems an interesting approach, especially when combined with the
attribute mapping. It will be some work to implement though so don't
h
On Mon, 06 May 2013 21:50:52 +0200
Arthur de Jong wrote:
> [...]
>
> Determining who can see what information consists of basically two
> separate decisions (where those who have access to the hash are a subset
> of those who have access to the other information).
>
> (there is actually a third c
Control: found -1 nss-ldapd/0.6.1
On Sun, 2013-05-05 at 20:18 -0700, Andrew Ayer wrote:
> nslcd only allows processes with UID==0 (as determined by credentials
> passed over its UNIX domain socket) to query the shadow database.
[...]
> This is a problem because it means non-root processes, in part
Package: nslcd
Version: 0.8.12-1
Severity: normal
nslcd only allows processes with UID==0 (as determined by credentials
passed over its UNIX domain socket) to query the shadow database.
This check is enforced by lines 449-452 of nslcd/nslcd.c:
case NSLCD_ACTION_SHADOW_BYNAME:if (uid==0)
6 matches
Mail list logo
