Solaris 8 compat mode (FIXED)
Alek O. Komarnitsky (N-CSC)
alek at ast.lmco.com
Tue Aug 26 17:12:48 EDT 2003
> From sudo-users-bounces at sudo.ws Tue Aug 26 14:20 MDT 2003
> From: Greene Jason-RB512C <RB512C at motorola.com>
>
> Finally got back around to looking at this problem. Thought I would post this response since I have still not see a solution posted.
>
> With help from Darren Dunham who pointed me to the fact that solaris 8 now puts an x in the password field of the /etc/shadow file.
>
> When the system is set up in compat mode (/etc/nsswitch.conf), sudo is still using the shadow file to match the password of the + users (+userid in /etc/passwd) instead of NIS.
>
> The solution for the moment is to take the x out of the shadow file and everything performs as it did in Solaris 2.6. But I it would seem that the sudo gods need to take a look at this and come up with a better solution for dealing with it.
>
> (I did test to make sure that a null password does not work when using sudo or otherwise with a blank password field in /etc/shadow)
>
> Thanks Again Darren!!!!!
>
>
> EXAMPLE:
>
> Broke:
> /etc/passwd
> ...
> +rb512c:x:::::::
> /etc/shadow
> ...
> +rb512c:x:::::::
>
> Works:
> /etc/passwd
> ...
> +rb512c:x:::::::
> /etc/shadow
> +rb512c::::::::
I'm a little confused ... isn't the behavior you saw
above the desired state for things in general (also sudo).
I.e. by putting an "x" in the local shodow file, I can
lock out an account (unless you have seemless rsh or
other non-password prompt type activity) that would
otherwise be enabled via NIS.
A good test of this would be if you tried to telnet to
the machine using the setup in the "broke" example.
This requires a username/password - can you actually
using the NIS one even though the local shadow file
has an "x" listed?
alek
More information about the sudo-users
mailing list