Re: Security Configuration Settings?

From: Lupe Christoph (lupe_at_lupe-christoph.de)
Date: 09/23/04

  • Next message: Eric Forgette: "Re: Security Configuration Settings?" 
    Date: Thu, 23 Sep 2004 11:04:19 +0200
To: El C0chin0 <mr.nasty@ix.netcom.com>

    On Tuesday, 2004-09-21 at 13:34:33 -0000, El C0chin0 wrote:

    > I don't understand and haven't been able to find anything related to what describes 'compat'. Can any one provide me with why it is a good measure to change this from 'files' to 'compat' and what other changes may be necessary or what exactly is the difference?

    Please keep your lines to 72~80 chars.

    Do a "man nsswitch.conf", search for compat:

         compat Valid only for passwd and group;
                                  implements "+" and "-". See
                                  Interaction with +/- syntax.

      Interaction with +/- syntax
         Releases prior to SunOS 5.0 did not have the name service
         switch but did allow the user some policy control. In
         /etc/passwd one could have entries of the form +user
         (include the specified user from NIS passwd.byname), -user
         (exclude the specified user) and + (include everything,
         except excluded users, from NIS passwd.byname). The desired
         behavior was often "everything in the file followed by
         everything in NIS", expressed by a solitary + at the end of
         /etc/passwd. The switch provides an alternative for this
         case ("passwd: files nis") that does not require + entries
         in /etc/passwd and /etc/shadow (the latter is a new addition
         to SunOS 5.0, see shadow(4)).

         If this is not sufficient, the NIS/YP compatibility source
         provides full +/- semantics. It reads /etc/passwd for
         getpwnam(3C) functions and /etc/shadow for getspnam(3C)
         functions and, if it finds +/- entries, invokes an appropri-
         ate source. By default, the source is "nis", but this may be
         overridden by specifying "nisplus" or "ldap" as the source
         for the pseudo-database passwd_compat.

         Note that for every /etc/passwd entry, there should be a
         corresponding entry in the /etc/shadow file.

         The NIS/YP compatibility source also provides full +/-
         semantics for group; the relevant pseudo-database is
         group_compat.

    HTH,
    Lupe Christoph 

    -- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like   |
| covering yourself with barbecue sauce and breaking into the Charity    |
| Home for Badgers with Rabies.                            Michael Lucas |
  • Next message: Eric Forgette: "Re: Security Configuration Settings?"