RE: Possible Issue with Netinfo and Mac OS X

From: Dixie Flatline (echo8at_private)
Date: Mon Sep 03 2001 - 04:57:26 PDT

Next message: Matthew Seaman: "Re: Possible Issue with Netinfo and Mac OS X"

Previous message: Derek Martin: "Re: S/Key keyinit(1) authentication (lack thereof) + sudo(1)"
Maybe in reply to: Benjamin Gardiner: "Possible Issue with Netinfo and Mac OS X"
Next in thread: kang: "Re: Possible Issue with Netinfo and Mac OS X"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have kept quiet about this to this point because I have not contacted Apple,
or given the vendor any opportunity to respond, but if this discussion is
going to be held in public, I think the following points are worthy of 
discussion: 

* /usr/bin/nireport can be run by any user and can pull essentially the same
information (including cyphertext passwords and password hints). 

* /usr/bin/nidump can be used for pretty much the same thing. 

Either of these can be run by any user, regardless of whether or not that user
exists in the sudoers file (which is to say whether or not that user is 
allowed to "admin" the box). 

* The netinfo GUI (/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo Manager) is suid to root and will give out this information without 
requiring authentication. 

My system is running 10.0.4 (build 4Q12) with the Web Sharing update installed.


echo8

Next message: Matthew Seaman: "Re: Possible Issue with Netinfo and Mac OS X"
Previous message: Derek Martin: "Re: S/Key keyinit(1) authentication (lack thereof) + sudo(1)"
Maybe in reply to: Benjamin Gardiner: "Possible Issue with Netinfo and Mac OS X"
Next in thread: kang: "Re: Possible Issue with Netinfo and Mac OS X"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 21:19:40 PDT