Solaris 8 compat mode (FIXED)

Galen Johnson Galen.Johnson at sas.com
Tue Aug 26 17:44:59 EDT 2003


You may also want to look at your /etc/nsswitch.conf file.  Look at the passwd entry...if 'files' comes before 'nis' that might shed some light on why it checks the shadow file first.

=G=

-----Original Message-----
From: Alek O. Komarnitsky (N-CSC) [mailto:alek at ast.lmco.com] 
Sent: Tuesday, August 26, 2003 5:13 PM
To: RB512C at motorola.com; sudo-users at sudo.ws
Subject: RE: Solaris 8 compat mode (FIXED)


> From sudo-users-bounces at sudo.ws Tue Aug 26 14:20 MDT 2003
> From: Greene Jason-RB512C <RB512C at motorola.com>
> 
> Finally got back around to looking at this problem.  Thought I would post this response since I have still not see a solution posted.
> 
> With help from Darren Dunham who pointed me to the fact that solaris 8 now puts an x in the password field of the /etc/shadow file.  
> 
> When the system is set up in compat mode (/etc/nsswitch.conf), sudo is still using the shadow file to match the password of the + users (+userid in /etc/passwd) instead of NIS.
> 
> The solution for the moment is to take the x out of the shadow file and everything performs as it did in Solaris 2.6.  But I it would seem that the sudo gods need to take a look at this and come up with a better solution for dealing with it.
> 
> (I did test to make sure that a null password does not work when using sudo or otherwise with a blank password field in /etc/shadow)
> 
> Thanks Again Darren!!!!!
> 
> 
> EXAMPLE:
> 
> Broke:
> /etc/passwd
> ...
> +rb512c:x:::::::
> /etc/shadow
> ...
> +rb512c:x:::::::
> 
> Works:
> /etc/passwd
> ...
> +rb512c:x:::::::
> /etc/shadow
> +rb512c::::::::



I'm a little confused ... isn't the behavior you saw
above the desired state for things in general (also sudo).

I.e. by putting an "x" in the local shodow file, I can 
lock out an account (unless you have seemless rsh or
other non-password prompt type activity) that would 
otherwise be enabled via NIS.

A good test of this would be if you tried to telnet to
the machine using the setup in the "broke" example.
This requires a username/password - can you actually 
using the NIS one even though the local shadow file
has an "x" listed?

alek
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list