Hesiod security

From: KF (dotslashat_private)
Date: Wed Jun 05 2002 - 21:51:55 PDT

  • Next message: Kit: "RE: Phone Switches + telephone banking etc"

    does anyone know about spoofing hesiod requests or replys or anything of 
    that nature?
    
    Hesiod is supposed to only deal with non security sensitive data. Your 
    user ID shell and home directory are determined by Hesiod... I would say 
    at LEAST your uid should be concerned security sensitive. If you could 
    spoof a reply for uid 0 I think you could take advantage of this.
    
    I could be simply ignorant to the use of Hesiod ...
    
    Definition of Hesiod:
    Hesiod, developed by MIT Project Athena, is an information service built 
    upon BIND. Its intent is similar to that of Sun's NIS: to furnish 
    information about users, groups, network-accessible file systems, 
    printcaps, and mail service throughout an installation. Aside from its 
    use of BIND rather than separate server code another important 
    difference between Hesiod and NIS is that Hesiod is not intended to deal 
    with passwords and authentication, but only with data that are not 
    security sensitive. Hesiod servers can be implemented by adding resource 
    records to BIND servers; or they can be implemented as separate servers 
    separately administered.
    
    -KF
    



    This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 10:51:12 PDT