IT Baseline Protection Manual S 5.18 Use of the NIS security mechanisms
S 5.18 Use of the NIS security mechanisms
Initiation responsibility: IT Security Management, Administrators
Implementation responsibility: Administrators
NIS ( Network Information Service) cannot be operated without serious security shortcomings and should therefore be used only in a secure environment.
The following requirements apply to a NIS server:
The password file /etc/passwd must not contain the entry +::0:0::: since otherwise access with the name ´+´ without a password is possible. Should the entry be necessary, the password must be replaced by ´*´ (you must check whether access has actually been blocked!). Nevertheless, there still will be the risk that, in case of inadvertent deletion of the first column (i.e.´+´), privileged access will be possible without a password and without a user name!
The situation is similar as regards the group file /etc/group and all other security-relevant files which are to be made accessible network-wide through the NIS, e.g./etc/hosts, /etc/group or/etc/bootparams.
The ypserv server process should respond only to queries made by computers which have been designated in advance.
The following requirements apply to a NIS client:
The entry +:*:0:0::: in the password file /etc/passwd should be documented (cf. S 2.31 Documentation of authorised users and authorisation parameters), and in any case there should be an entry in the password field so that access with the user name ´+´ without a password will not be inadvertently provided in case of (intentional or unintentional) failure to use the NIS.
Similar provisions apply to the group file /etc/group and all other security-relevant files to be made accessible network-wide through the NIS.
The ypbind client process should only accept data coming from a privileged port since otherwise it might obtain data (including passwords!) from any process whatsoever claiming to be a server.
In order to prevent the NIS system administrator from having root rights on all NIS clients, a local user with the UID 0 should be established on each NIS client.
It must be borne in mind that NIS will, as a first step, search the local files for matching entries so that, for instance, the entries
root::0:0::::
+:*:0:0:::
in the /etc/passwd file have the effect that the first entry without a password, instead of the root password from the NIS map, will be used.
