Several years ago I noticed a big issue with NIS security at Sun, which I promptly reported hoping for a patch.数年前,我留意到一个大问题,与国家情报院的保安孙,我及时报道,希望为修补程序。 Today I found out it is still there.今天,我发现它仍然存在。 Hopefully a full disclosure will help solve it.希望充分披露将有助于解决这个问题。 In typical NFS-NIS setup, users on NIS client machines login to their NIS accounts (like Windows users login to their domain server).在典型的NFS的新谢克尔安装,用户对NIS用户端的机器登录到他们的国家情报院的帐目(如Windows用户登录到他们的域服务器) 。 Normally root access in local machines are provided to users to make it easy to install software.通常根存取在本地的机器提供给用户可以很容易地安装软件。 In NIS, by default, root squash feature is implemented which prevents local root account from accessing NIS mounted directories.在新谢克尔,默认情况下,根壁球的特点是实施防止本地root帐号进入新谢克尔展开目录。 So far so good.到目前为止,那么好。 However, unknown to most, a bug in NIS implementation allows local root accounts to access all information in any NIS users accounts.不过,未知的大部分,一个bug在国家情报院的执行情况允许本地根帐户,以获得的所有资料,在任何国家情报院的使用者帐户。

So if you only have access to your local machine (as root) then you will be able to view all the NIS mounted home directories of all NIS users, even if they never logged in to your machine.因此,如果你只能访问到本地机器上(如根) ,然后您将可以查看所有国家情报院展开的home目录的所有新谢克尔的用户,即使他们从未登录到您的机器。 This effectively makes all account data like emails, programs etc. visible, even that of your boss, to almost everyone else.这有效地使所有的帐户资料,例如电子邮件,程序等,可见,即使是你的老板,几乎每个人都否则。 In short an ideal recipe for insider attack.在简短的一个理想的食谱内幕攻击。

The way to accomplish is deceptively simple.的方式来完成,是简单。
But first assure yourself that as a root you cannot indeed access any NIS account’s home directories.但首先保证自己作为一个根,你不能确实获得任何新谢克尔帐户的home目录。 Suppose there is a NIS user whose login is angsuman.假设有一个新谢克尔的用户登录是由Angsuman 。 Now as a root try to access ~angsuman.现在,作为一个根尝试访问〜由Angsuman 。 You will be denied access.您将被拒绝访问。

All you have to do is su angsuman instead.所有您需要做的就是苏由Angsuman You will now be logged in as NIS user angsuman.现在,您将记录在作为国家情报院的用户由Angsuman 。 Now you can access all the data belonging to user angsuman.现在,您可以访问所有的数据属于用户由Angsuman 。 Just cd ~angsuman and have fun.刚刚裁谈会〜由Angsuman并享受其中的乐趣。 It is that simple!它就是这么简单!

How to protect your company as a system administrator?如何保护您的公司作为一个系统管理员?
Either you have to move away from NIS based authentication or you will have to restrict access to local root account.无论您有迁离新谢克尔基于身份验证或您将有限制进入本地root帐户。 This has the downside of requiring more system administration work and potentially creating more bottlenecks.这是坏处的需要更多的系统管理工作,并有可能创造更多的瓶颈。