Solaris 8 compat mode (FIXED)
Galen.Johnson at sas.com
Tue Aug 26 17:44:59 EDT 2003
You may also want to look at your /etc/nsswitch.conf file. Look at the passwd entry...if 'files' comes before 'nis' that might shed some light on why it checks the shadow file first.
From: Alek O. Komarnitsky (N-CSC) [mailto:alek at ast.lmco.com]
Sent: Tuesday, August 26, 2003 5:13 PM
To: RB512C at motorola.com; sudo-users at sudo.ws
Subject: RE: Solaris 8 compat mode (FIXED)
> From sudo-users-bounces at sudo.ws Tue Aug 26 14:20 MDT 2003
> From: Greene Jason-RB512C <RB512C at motorola.com>
> Finally got back around to looking at this problem. Thought I would post this response since I have still not see a solution posted.
> With help from Darren Dunham who pointed me to the fact that solaris 8 now puts an x in the password field of the /etc/shadow file.
> When the system is set up in compat mode (/etc/nsswitch.conf), sudo is still using the shadow file to match the password of the + users (+userid in /etc/passwd) instead of NIS.
> The solution for the moment is to take the x out of the shadow file and everything performs as it did in Solaris 2.6. But I it would seem that the sudo gods need to take a look at this and come up with a better solution for dealing with it.
> (I did test to make sure that a null password does not work when using sudo or otherwise with a blank password field in /etc/shadow)
> Thanks Again Darren!!!!!
I'm a little confused ... isn't the behavior you saw
above the desired state for things in general (also sudo).
I.e. by putting an "x" in the local shodow file, I can
lock out an account (unless you have seemless rsh or
other non-password prompt type activity) that would
otherwise be enabled via NIS.
A good test of this would be if you tried to telnet to
the machine using the setup in the "broke" example.
This requires a username/password - can you actually
using the NIS one even though the local shadow file
has an "x" listed?
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
More information about the sudo-users