[Help!] I don't want NIS+ user to use "niscat passwd.org_dir" to look at......
Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[Help!] I don't want NIS+ user to use "niscat passwd.org_dir" to look at......
NIS+ OS: opensolaris 2008.05 as NIS+ Server IP: 192.168.80.202
NIS+ OS: opensolaris 2008.05 as NIS+ Client IP: 192.168.80.38
Now:at NIS+ Server,I have 2 users, one is user1 and the other is user2,
Purpose I wanna implement:After ssh the NIS+ client, I don't want user1 or user2 to use the command "niscat passwd.org_dir" to look at any conments of file "passwd.org_dir". Or user1 can't look at the encrypted information of passwd.org_dir.
I do removed the relative rights, but it still doesn't work.
Code:
niscat -o passwd.org_dir
Code:
Object Name : "passwd"
Directory : "org_dir.ds.org."
Owner : "dsbj-tm10.ds.org."
Group : "admin.ds.org."
Access Rights : ----------------
Time to Live : 12:0:0
Creation Time : Wed Jul 30 09:38:44 2008
Mod. Time : Wed Jul 30 17:10:28 2008
Object Type : TABLE
Table Type : passwd_tbl
Number of Columns : 8
Character Separator : :
Search Path :
Columns :
[0] Name : name
Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
Access Rights : r---r---r---r---
[1] Name : passwd
Attributes : (TEXTUAL DATA)
Access Rights : ----------------
[2] Name : uid
Attributes : (SEARCHABLE, TEXTUAL DATA, CASE SENSITIVE)
Access Rights : r---r---r---r---
[3] Name : gid
Attributes : (TEXTUAL DATA)
Access Rights : r---r---r---r---
[4] Name : gcos
Attributes : (TEXTUAL DATA)
Access Rights : r---rmcdrmcdr---
[5] Name : home
Attributes : (TEXTUAL DATA)
Access Rights : r---r---rmcdr---
[6] Name : shell
Attributes : (TEXTUAL DATA)
Access Rights : r---rmcdrmcdr---
[7] Name : shadow
Attributes : (TEXTUAL DATA)
Access Rights : ----------------
Have you looked at the nischmod man page? In nis+, you can change the permissions of the table itself or also the permissions of the individual column.
Have you looked at the nischmod man page? In nis+, you can change the permissions of the table itself or also the permissions of the individual column.
Good luck,
J.
I used nischmod. Please take a look at the results of using "niscat -o passwd.org_dir".
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
Quote:
Originally Posted by Hanzo
I can't remove execution of niscat, cause I want niscat to execute.
If you want niscat to stay executable for any user, my hack won't work indeed.
Otherwise, if you remove the x flag for other, generic users won't be able to use niscat but root and members of the bin group still will be able to execute it.
Quote:
I really don't know how to set ACL to limite some rights.
Assuming your are using ufs, this command will prevent the "guest" account to run the niscat command.
Code:
setfacl -r -m user:guest:--- /usr/bin/niscat
Consider these permission/acl solution as a weak workaround.
If you want niscat to stay executable for any user, my hack won't work indeed.
Otherwise, if you remove the x flag for other, generic users won't be able to use niscat but root and members of the bin group still will be able to execute it.
Assuming your are using ufs, this command will prevent the "guest" account to run the niscat command.
Code:
setfacl -r -m user:guest:--- /usr/bin/niscat
Consider these permission/acl solution as a weak workaround.
I used this command "chmod A5- or chmod A4- ....".
I didn't use this command "setfacl", it doesn't work. I thought we can't remove some rights of niscat,actually should be the file "passwd.org_dir".
Huh ?
What do you mean it doesn't work ?
What OS are you running ?
What filesystem ?
Why ?
By using cat or niscat ?
OS: OpenSolaris 2008.05.
The Server and client are the same OS.
Absolutely niscat we're talking about.
"it doesn't work" means: the user1 still can look at the encrypted content of the file "passwd.org_dir".
I know that this will start a "flame" war but what the hell, here we go.
If you run nisplus, you fix the permission issues with nisplus commands, NOT with solaris commands. Changing the acls is NOT what you want,
changing the permissions with chmod is NOT what you want.
Let me elaborate on this.
If you take away executable permissions from the command, it affects all the tables and the whole database, not just the passwd table.
That is not what you wanted to begin with.
NIS+ uses a different set of permissions than solaris, you can see this with nisls -l on any directory or table. You have 16 bits of permissions, not the standard 9.
The first four are for nobody, basically anybody that is NOT authenticated with NIS+, you can see if you are with the command nisdefaults.
The next four are for the owner of the table, basically root on the NIS+ root master server.
The next four are for the members of the NIS+ admin group (not to be confused with any group that you may see in /etc/group)
Lastly the next four are for the world, basically users recognized by nis+ but NOT the owner or members of the admin group.
It's 5:30 am here and I am at home, not at work so therefore I don't have a machine running nis+ here. So I am doing this by memory.
The permissions of the table are controlled with nischmod. Like for instance nischmod g-rmcd passwd.org_dir. In this example, I am showing you how to remove read, modify, create and destroy permissions from the group. JUST AN EXAMPLE, DON'T DO IT!
Furthermore, each column of a table (all the tables) has permissions that can be changed. But you already know this. The answer to this is niscat -o passwd.org_dir.
To change the particular permmissions for a column, for example you can type:
nistbladm -u 'name=g+rm,hosts.org_dir'
So if you want to change the permissions for the column, you can do that. However, if both users belong to the same category, both are affected equally by the change. if both users that you created are authenticated by nis+ but they are not root nor members of the admin group, they fall into the category of the "world" (last set of permissions).
You can fix this by putting one of this users into the nis+ admin group. However, now this guy will have a lot more power (look at the general permissions of the admin group in all the tables and columns of the tables.
ex: nisgrpadm -a admin.sun.com. user1.sun.com.
There is a command called nistest that is there for testing specific access rights to an object.
Hope it helps,
J.
Ps: Somebody said in this thread that NIS+ is deprecated. NIS+ is NOT deprecated, it is on its way out for sure but it is still supported by Sun. You can see this when you type nisserver -r -d sun.com. for example. However, that is the same message that you see in solaris 9 and some versions of 8. Lots of Sun customers use it, not as many as they used to of course.
Distribution: Solaris 11.4, Oracle Linux, Mint, Debian/WSL
Posts: 9,789
Rep:
Quote:
Originally Posted by javier.e.menendez
If you run nisplus, you fix the permission issues with nisplus commands, NOT with solaris commands. Changing the acls is NOT what you want,
changing the permissions with chmod is NOT what you want.
I absolutely agree. As I wrote, my suggestion to use permissions is just a weak workaround.
Workarounds are IMHO acceptable, especially when security is at stakes, until a proper solution is found and I appreciate your expertise helping finding it.
Quote:
Ps: Somebody said in this thread that NIS+ is deprecated. NIS+ is NOT deprecated, it is on its way out for sure but it is still supported by Sun. You can see this when you type nisserver -r -d sun.com. for example. However, that is the same message that you see in solaris 9 and some versions of 8. Lots of Sun customers use it, not as many as they used to of course.
Being deprecated doesn't means being unsupported but your are correct, NIS+ isn't deprecated yet by Sun. It has been however announced to be "End Of Feature" in 2005 and Sun customers are certainly more than ever encouraged to migrate to LDAP.
Hi,guys:
I really appreciate your great help!
I don't care whether or not NIS+ is deprecated. I do care how to implement my aim.
Here is the result of executing the command: "nisgrpadm -l admin.ds.org. "
Code:
#nisgrpadm -l admin.ds.org.
Group entry for "admin.ds.org." group:
Explicit members:
dsbj-tm10.ds.org.
No implicit members
No recursive members
No explicit nonmembers
No implicit nonmembers
No recursive nonmembers
I got confused that I can't know whether the user1 or user2 is in the group of admin.ds.org. .
After I executed the commmand
Code:
chmod A+user:user1:execute:deny /usr/bin/niscat
and
Code:
chmod A+group:60005:execute:deny /usr/bin/niscat
(cause the gid of user1 is 60005) and "ssh user1@192.168.80.38", here is result of executing the command " niscat passwd.org_dir":
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.