topic Re: syslog: NIS attack in Operating System - HP-UX

syslog: NIS attack

thom_14 — Wed, 09 Jul 2008 20:39:30 GMT

We use a scheme for granting developers and testers root perms on systems via an "su" account, which is basically an /etc/passwd entry similar to their normal account, but with a UID of 0. Conventions aside, that's the way they've been doing it and they're happy with, so that's what I've been asked to do.

ie:
norsu:ZZZZZZZZZZ.,n.xS:0:3::/root/users/norsu:/sbin/sh
markdsu:ZZZZZZZZZZ:0:3::/root/users/markdsu:/sbin/sh
thomfsu:ZZZZZZZZZZ:0:3:Thom Fitzpatrick SU,1-916-XXX-XXXX,Roseville,thom.fitzpatrick@hp.com,thomf:/root/users/thomfsu:/bin/ksh
dhyniesu:ZZZZZZZZZZ:0:3:Daniel Hynie SU,1-916-XXX-XXXX,Roseville,daniel.hynie@hp.com,dhynie:/root/users/dhyniesu:/bin/ksh

On a couple of newer 11.23 boxes, I'm getting some push-back - from the OS!

# su - thomfsu
su: unknown login thomfsu
Jul 9 14:29:32 amkibld06 syslog: NIS attack, user thomfsu has uid 0
amkibld06:/root/users/root #

I did some googling, and it appears that this is a change in the behavior of rlogind. My question is this: is there a way to get around this new restriction, or has my paradigm been sprained?

Re: syslog: NIS attack

James R. Ferguson — Wed, 09 Jul 2008 21:46:09 GMT

Hi:

Your environment is a disaster waiting to happen. Multiple uid=0 accounts mean that the first time you do something like:

# find / -user markdsu -exec rm -rf {} +

...to clean off "makdsu" because that developer has left your shop...you remove all files and directories owned by 'root' (uid=0).

If your argument is accountability, I submit that you said it was a developer's system; and I submit that *one* uid=0 (viz. the real 'root' account) is sufficient given the fact that your '/var/adm/sulog' tracks the transitions from any user account to 'root'.

Regards!

...JRF...

Re: syslog: NIS attack

MarkSyder — Thu, 10 Jul 2008 06:50:44 GMT

If you really need those users to have access to root commands you need sudo.

Mark Syder (like the drink but spelt different)

Re: syslog: NIS attack

thom_14 — Thu, 10 Jul 2008 14:19:00 GMT

I understand the various problems with this scheme, but I inherited it almost 10 years ago. I *tried* at one point to implement sudo, but it went over like a lead balloon (MythBusters notwithstanding). We have this arrangement where they tell me what they want done and pay me to do it; unfortunately it doesn't work the other way around...

Re: syslog: NIS attack

Peter Nikitka — Fri, 11 Jul 2008 14:00:51 GMT

Hi,

I think this is a good time, to tell your developers, that the current (unsafe) method of the xxxsu - accounts is no longer possible under the new OS.

mfG Peter

Re: syslog: NIS attack

thom_14 — Fri, 11 Jul 2008 16:01:04 GMT

I found a temporary workaround. It seems that only rlogind exhibits this behavior at this point, so if you rlogin to the box (yes, that's a whole 'nother box of worms) then you can't su to the XXXsu UID 0 user. However, you can still telnet or ssh directly to the box as the XXXsu user, it works fine.

Apart from all this, it seems silly that rlogind reports this as an NIS issue.