[22499] in bugtraq
Re: Possible Issue with Netinfo and Mac OS X
daemon@ATHENA.MIT.EDU (Ethan Benson)
Mon Sep 3 11:29:09 2001
Date: Mon, 3 Sep 2001 01:33:23 -0800
From: Ethan Benson <erbenson@alaska.net>
To: Benjamin Gardiner <cvisors@off-fw.tved.net.au>
Cc: BUGTRAQ@securityfocus.com
Message-ID: <20010903013323.A11996@plato.local.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY"
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.33.0109031129090.47081-100000@off-fw.tved.net.au>; from cvisors@off-fw.tved.net.au on Mon, Sep 03, 2001 at 12:22:50PM +1000
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Sep 03, 2001 at 12:22:50PM +1000, Benjamin Gardiner wrote:
[snip]
> Anyway to get to the core of the matter, I was looking through the
> file structure, looking at some of the config files, and such, when I
> happened to look in /var/backups in var/backups there was one file called:
> "local.nidump"
>=20
> This is a file which contains from what I can tell a fair part if not all
> of the information stored in the netinfo database, including users and
> passwords.
>=20
> Here is the information for a user I created for this purpose:
>=20
> "_shadow_passwd" =3D ( "" );
> "_writers_passwd" =3D ( "test" );
> "hint" =3D ( "" );
> "uid" =3D ( "502" );
> "_writers_hint" =3D ( "test" );
> "gid" =3D ( "20" );
> "realname" =3D ( "test" );
> "name" =3D ( "test" );
> "passwd" =3D ( "Fnh1eLU0U6o12" );
> "shell" =3D ( "/bin/tcsh" );
> "home" =3D ( "/Users/test" );
> "sharedDir" =3D ( "Public" );
>=20
>=20
> The issue is that my user "test" was created without the option to
> administer the system (by default root isn't enabled in Mac OS X.) This
> user though could access and copy and read this file, via a shell and also
> via ftp (please note again things like ssh and ftp are not started by
> default they have to be enabled in sharing under system preferences.
the same information as above can be gained with the command:
nidump passwd . (iirc i don't have any OSX systems around anymore)
which dumps an unshadowed passwd file in pretty much the same format
as you would find on a GNU/Linux or BSD system. any unprivileged user
may run this command, nidump is not suid nor sgid so changing its
permissions will do nothing, contrary to some suggestions to do so.
(the user may simply grab thier own copy from another machine).=20
--=20
Ethan Benson
http://www.alaska.net/~erbenson/
--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjuTTmMACgkQJKx7GixEevzTTACePHOaIZ+M7TA2/izs1ej1ARBW
TwgAn1Xa7zRbjLSdof4nJlJWqNY0LB2P
=2JzA
-----END PGP SIGNATURE-----
--4Ckj6UjgE2iN1+kY--
