The compat setting allows you to add an extra pseudo database called
'passwd_compat'. Here you can specify an alternative database, next to
files.

E.g.:

passwd: compat
passwd_compat: ldap

The meaning of this is as follows: Search the local /etc/passwd file and if
you encounter any entries with the "+" or "-" syntax, process them and look
them up in LDAP. Of course, if you're using NIS, put nis as the keyword. The
same goes for nis+.

In your /etc/passwd file, you can now have such entries as:

+elcochino:x:::::

Meaning that the user "elcochine" can be found in the LDAP database and is
allowed access to the system.
This mechanism also allows you to use netgroups. E.g:

+@sysadmins:x:::::

This would allow all the users in the NIS (or LDAP) netgroup called
'sysadmins' to have access to the system.

Make sure that the /etc/shadow file has the same entries and that the
password field is empty (I use LDAP at work and if the password field in
/etc/shadow is not empty for a netgroup, nobody from that group can login).

Note that there is also a similar system for groups:

group: compat
group_compat: nis [nis+] [ldap]

Now that we've covered this topic, let me just state that it is impossible
to create a secure system if you're using NIS. Since nis is inherently
insecure, there is no way of securing the machine.

At the very least use something like nis+ (I wouldn't use it because of the
complexity) or even better ldap (but also with encrypted communication).

Hope this helps,

Jan

----- Original Message -----
From: "El C0chin0" <mr.nasty (at) ix.netcom (dot) com [email concealed]>
To: <focus-sun (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, September 21, 2004 3:34 PM
Subject: Security Configuration Settings?

>
>
> Im in the process of trying to secure a SunOS name 5.8 Generic_108528-29
sun4u sparc SUNW,Sun-Fire-280R, using settings per
http://sabernet.home.comcast.net/papers/Solaris.html. I have a few
questions about the settings and due to the fact that this box is supposed
to look as much like a production box but I have no budget for things like
'stronghold' etc. I must use as much free ware as possible.
>
> On the above mentioned page under "Access Controls" section 4 'Only add
accounts for users who require access to the system. If using NIS, use the
compat mode by editing the /etc/nsswitch.conf file:
>
> passwd: compat'
>
> I don't understand and haven't been able to find anything related to what
describes 'compat'. Can any one provide me with why it is a good measure to
change this from 'files' to 'compat' and what other changes may be necessary
or what exactly is the difference?
>
> Thanks
>
> I can only hope the moderators of this group find this worthy of being
posted.
>
>

[ reply ]