Re: Security Configuration Settings?
From: James Lick (jlick_at_drivel.com)
Date: Thu, 23 Sep 2004 13:59:56 +0800
El C0chin0 wrote:
>On the above mentioned page under "Access Controls" section 4 'Only add accounts for users who require access to the system. If using NIS, use the compat mode by editing the /etc/nsswitch.conf file:
>I don't understand and haven't been able to find anything related to what describes 'compat'. Can any one provide me with why it is a good measure to change this from 'files' to 'compat' and what other changes may be necessary or what exactly is the difference?
The compat keyword means that the passwd file emulates that behavior in
SunOS 4.x where you could use NIS as your nameservice, but list in your
/etc/passwd file which users and netgroups are included or excluded via
lines starting with + or -. Normally when using NIS, anyone in the name
service can log into the system. This is not a good idea when you want
to restrict access to only a small set of people.
The usual alternative is to not use NIS and manually add in the users
you want. This has some management issues such as user ids and
passwords not being consistent, and makes it harder to ensure you remove
someone's access completely if their employment ends. With compat mode
you can create a netgroup of users in NIS and just include that netgroup
with one line in your passwd file, or you can add or bar people by
username so that their NIS entry is used and a separate passwd entry is
not needed, and they lose access once they are removed from NIS.
For more information:
man -s 4 nsswitch.conf
man -s 4 passwd
-- James Lick -- 黎建溥 -- email@example.com -- http://jameslick.com/