I asked:
> Does anyone know if there is a way to create an NIS map that can only
> be accessed by root?
>
>[...]
>
> I've created two NIS maps, one for machine root passwords
> and one for machine prom passwords, indexed by the hostname. This
> NIS map would then be propogated to the three machines in our administration
> NIS domain (there are only three, and each is an NIS server), and through
> the magic of /var/yp/securenets would only be available to people
> physically logged on to these machines. So far so good. I would like
> to further restrict this so that only root on these three machines can
> access this map, but this is where I'm running into problems. Anyone can
> do a ypmatch on this machine right now and get a root password. The dbm
> files are already mode 0600, owned by root, so I can't just do it with
> unix file permissions.
>
> Since each machine that needs access to this file is its own NIS
> server, it would even work to have ypcat/ypmatch fail entirely for any
> user on these maps, and I could just have some sort of script that reads
> through the (root-owned) dbm file in /var/yp on each machine manually.
The solution:
Three cheers for obscurely-documented flags! Joe Pruett <joey@q7.com>
gave me the solution I was hoping for: the -s flag to makedbm.
According to the man page for makedbm, the -s flag means make a
"Secure map. Accept connections from secure NIS networks only."
As it turns out, what this means in normal english is that only root
can access the map. If a nonroot user tries to do a ypcat or ypmatch,
he is told that there is no such map. Beautiful.
"Trevor Paquette" <tpaquett@aec.ca> suggested that I encrypt the
data in the map so that even if anyone can do a ypcat or ypmatch, the
resulting data won't mean anything unless he or she knows the single
passphrase that decrypts the stored data. Unfortunately I was unable
to find an encryption program that can be called from a script and
leaves its result in a format that can still be read by makedbm. PGP
munges the entire file at a time, and crypt & krypt produce non-ascii
files.
Thanks also to a couple of other people who gave me excellent suggestions
that mention their own security setups, so it would probably not be
prudent to identify them here. ;^) (And for anyone tempted to take a
crack at a bunch of root passwords in an NIS map, please leave my poor
alma mater out of this. Of course I'm not doing this at the University
of Oregon. I'm just using an old account I have here to send this email.
I'm doing this behind a very nice corporate firewall.)
Christopher L. Barnard
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:47 CDT