Security limitations on configuration
To preserve the integrity of trusted databases,
NIS may not modify certain sensitive files within a C2 Secure system.
Although SCO NIS operates on a system with any of the
security defaults (High, Improved, Traditional, and Low), the
password and group databases are updated by NIS only in
the security defaults that use
/etc/passwd and /etc/group
as the master databases.
This condition is true if Traditional
or Low security (Unsecure Mode) is chosen at installation time.
If High or Improved security (Secure Mode) is chosen,
the Trusted Computing Base (TCB) manages
/etc/passwd and /etc/group and does not allow
NIS to update these files.
Only copy-only NIS servers and clients can be initialized in Secure Mode settings on SCO systems. These servers may receive maps, but they cannot propagate them. In addition, if a copy-only server in Secure Mode receives a password or group map, it cannot translate these maps into /etc/passwd or /etc/group ASCII files.
Clients that include NIS maps in their /etc/passwd or /etc/group files circumvent TCB and are not C2 Secure.
Table 7-1, ``Security configurations for SCO NIS servers and clients'', lists the security configurations permitted for each type of SCO NIS server and client.
Table 7-1 Security configurations for SCO NIS servers and clients
------------------------------------------------------------------- SCO NIS server or client type Permitted security settings ------------------------------------------------------------------- master or Unsecure Mode only (Traditional or Low) slave copy-only or Secure Mode (High or Improved) or client Unsecure Mode (Traditional or Low)These security precautions help prevent unauthorized NIS password and group information from reaching SCO hosts. However, the same security precautions may not be available for client implementations running on systems other than SCO. Consult your documentation for NIS client implementations if you are concerned with security.
See also: