Networking Guide
Chapter 7, Configuring the Network Information Service (NIS)

Security limitations on configuration

Security limitations on configuration

To preserve the integrity of trusted databases, NIS may not modify certain sensitive files within a C2 Secure system. Although SCO NIS operates on a system with any of the security defaults (High, Improved, Traditional, and Low), the password and group databases are updated by NIS only in the security defaults that use /etc/passwd and /etc/group as the master databases. This condition is true if Traditional or Low security (Unsecure Mode) is chosen at installation time. If High or Improved security (Secure Mode) is chosen, the Trusted Computing Base (TCB) manages /etc/passwd and /etc/group and does not allow NIS to update these files.

Only copy-only NIS servers and clients can be initialized in Secure Mode settings on SCO systems. These servers may receive maps, but they cannot propagate them. In addition, if a copy-only server in Secure Mode receives a password or group map, it cannot translate these maps into /etc/passwd or /etc/group ASCII files.

Clients that include NIS maps in their /etc/passwd or /etc/group files circumvent TCB and are not C2 Secure.

Table 7-1, ``Security configurations for SCO NIS servers and clients'', lists the security configurations permitted for each type of SCO NIS server and client. 

Table 7-1 Security configurations for SCO NIS servers and clients

 -------------------------------------------------------------------
 SCO NIS server
 or client type   Permitted security settings
 -------------------------------------------------------------------
 master or        Unsecure Mode only (Traditional or Low)
 slave
 copy-only or     Secure Mode (High or Improved) or
 client           Unsecure Mode (Traditional or Low)
These security precautions help prevent unauthorized NIS password and group information from reaching SCO hosts. However, the same security precautions may not be available for client implementations running on systems other than SCO. Consult your documentation for NIS client implementations if you are concerned with security.

See also: