-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Sep 2004, El C0chin0 wrote:
>
> I don't understand and haven't been able to find anything related to what
> describes 'compat'. Can any one provide me with why it is a good measure to
> change this from 'files' to 'compat' and what other changes may be necessary
> or what exactly is the difference?
>

Hello El C0chin0.

First I will answer your question about `compat' issue, below that answer you
can find other things related to Sun Solaris security.

Description of `compat' you can find in man page for nsswitch.conf.

Quote:

"compat Valid only for passwd and group; implements "+" and "-". See
Interaction with +/- syntax."

There is also section which described "+/- syntax":

"Interaction with +/- syntax Releases prior to SunOS 5.0 did not have the
name service switch but did allow the user some policy control. In
/etc/passwd one could have entries of the form +user (include the
specified user from NIS passwd.byname), -user (exclude the specified user)
and + (include everything, except excluded users, from NIS passwd.byname).
The desired behavior was often "everything in the file followed by
everything in NIS", expressed by a solitary + at the end of /etc/passwd. The
switch provides an alternative for this case ("passwd: files nis") that
does not require + entries in /etc/passwd and /etc/shadow (the latter is a new
addition to SunOS 5.0, see shadow(4)).

If this is not sufficient, the NIS/YP compatibility source provides full +/-
semantics. It reads /etc/passwd for getpwnam(3C) functions and /etc/shadow
for getspnam(3C) functions and, if it finds +/- entries, invokes an appropri-
ate source. By default, the source is "nis", but this may be overridden by
specifying "nisplus" or "ldap" as the source for the pseudo-database
passwd_compat.

Note that for every /etc/passwd entry, there should be a corresponding entry
in the /etc/shadow file. The NIS/YP compatibility source also provides full
+/- semantics for group; the relevant pseudo-database is group_compat."

Sun provides "Solaris Security Toolkit (JASS)", which is available to user for
download at no cost. Be sure to check
"http://wwws.sun.com/software/security/jass/". This toolkit provides a
flexible and extensible mechanism to minimize, harden, and secure Solaris
Operating Environment systems.

If you are interested in securing your Solaris OS, be sure to check Sun
BluePrints archives at
"http://www.sun.com/blueprints/browsesubject.html#security".

I hope this is helpful.

Regards.

- -Marek Antozi
- --
Senior System Administrator
SUN Microsystems, Developer Platform Group
Tel.: +420 2 3300-9126
Fax.: +420 2 3300-9299
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQFBUqCwDfUZjsbiBSwRAu1GAKCZbYBABKKDo4iVkV3Bs+z5+ri5dQCfdVNN
wleHHq6RrE5w7lBHfnsxZsA=
=chAL
-----END PGP SIGNATURE-----

[ reply ]