This is normal behaviour. The NDS database allows all objects to be managed in this way, and is in fact a strength of NDS security and management. The fact that a user can be removed from public view is not special -- in fact, you could apply this feature to a container and hide an entire department from public view. The only reason this works is due to the fact that the object is a supervisor of itself. This is not a normal default value. By default, a user can only modify a few properties such as his login script or other specific items. The reason the user is removed from view is because all the object rights had been blocked by the filter you invoked. Had the user not been a supervisor of himself, or no other user capable of management of the user, this could not be accomplished. >From a security standpoint, this is one way to create an account "back door" into a system. The rub is that in order to do so, you must first be supervisor or equiv. to change NDS rights. There are not very many tools that will find "hidden" users like these. Typically, an NLM must run at the console in system security context to detect these users. This experiment is covered in Novell training classes, and is used to demonstrate the flexibility of NDS. I would contend that it is hardly a bug -- more likely, an administrator issue! Pat Hayden -----Original Message----- From: jdrodriguezat_private [SMTP:jdrodriguezat_private] Sent: Thursday, April 16, 1998 2:59 PM To: BUGTRAQat_private Subject: Novell Netware 4.X Hidden user accounts Command Creating user accounts Systems Affectted Netware 4.X Problem Netware allows a user account to become "hidden" and unable to be managed by native Netware tools including deleting the account. The following MUST be done as an admin(supervisor) 1) Start NWADMIN 2) Create a user 3) Give the user supervisor equivalence (Note: Not required, but why not) 4) Right click on the user. 5) Select Trustees 6) Delete Root and Public trustees 7) Select the user and change its rights(Object and Property) 8) Assign ONLY Supervisor 9) Select Inherited Rights Filter 10) Deselect all values(NO boxes should be marked) 11) Return to main NWADMIN screen(HIT OK TWICE, I think) 12) Refresh the screen(Can be done by clicking on the tree name where the user account was created) 13) The user account is GONE. Execute some native Netware commands. Try this one which will list all detailed information on all users. NLIST USER /D The newly created account is now missing. Now try to assign a password to the account. SETPASS USERNAME You get an error message stating that you must be a manager to change the password. Solution: Unknown Workaround: To delete this account. You must start the server in bindery mode. Add SET BINDERY CONTEXT command in AUTOEXEC.NCF(Note: You must set the context to the one in which the account was created). Utilize the USERDUMP tool to ID the account, if you have not done so already. Next, use CHGPASS to change the user accounts password. Login in as that user, and reverse the previous procedure to hide the user account. Specifically, adding PUBLIC and ROOT as trustees. USERDUMP and CHGPASS are publicly available tools.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:28 PDT