12.3.1. Managing the root password with NIS

NIS can be used to solve a common dilemma at sites with advanced, semi-trusted users. Many companies allow users of desktop machines to have the root password on their local hosts to install software, make small modifications, and power down/boot the system without the presence of a system administrator. With a different, user-specific root password on every system, the job of the system administrator quickly becomes a nightmare. Similarly, using the same root password on all systems defeats the purpose of having one.

Root privileges on servers should be guarded much more carefully, since too many hands touching host configurations inevitably creates untraceable problems. It is important to stress to semi-trusted users that their lack of root privileges on servers does not reflect a lack of expertise or trust, but merely a desire to exert full control over those machines for which you have full and total responsibility. Any change to a server that impacts the entire network becomes your immediate problem, so you should have jurisdiction over those hosts. One way to discourage would-be part-time superusers is to require anyone with a server root password to carry the 24-hour emergency beeper at least part of each month.

Some approach is required that allows users to gain superuser access to their own hosts, but not to servers. At the same time, the system administrator must be able to become root on any system at any time to perform day-to-day maintenance. To solve the second problem, a common superuser password can be managed by NIS. Add an entry to the NIS password maps that has a UID of 0, but login name that is something other than root. For example, you might use a login name of netroot. Make sure the /etc/nsswitch.conf file on each host lists nis on the passwd: entry:

passwd: files nis

Users are granted access to their own host via the root entry in the /etc/passwd file.

Instead of creating an additional root user, some sites use a modified version of su that consults a "personal" password file. The additional password file has one entry for each user that is allowed to become root, and each user has a unique root password.[20] With either system, users are able to manage their own systems but will not know the root passwords on any other hosts. The NIS-managed netroot password ensures that the system administration staff can still gain superuser access to every host.

[20]An su-like utility is contained in Unix System Administration Handbook, by Evi Nemeth, Scott Seebass, and Garth Snyder (Prentice-Hall, 1990).

12.3.2. Making NIS more secure

Aside from the caveats about trivial passwords, there are a few precautions that can be taken to make NIS more secure:

• If you are trying to keep your NIS maps private to hide hostnames or usernames within your network, do not make any host that is on two or more networks an NIS server. Users on the external networks can forcibly bind to your NIS domain and dump the NIS maps from a server that is also performing routing duties. While the same trick may be performed if the NIS server is inside the router, it can be defeated by disabling IP packet forwarding on the router. Appendix A, "IP Packet Routing" covers this material in more detail.

• On the master NIS server, separate the server's password file and the NIS password file so that all users in the NIS password file do not automatically gain access to the NIS master server. A set of changes for building a distinct password file was presented in Section 4.2.6, "Using alternate map source files".

• Periodically check for null passwords using the following awk script:

  #! /bin/sh 
  # ( cat /etc/shadow; ypcat passwd ) | awk -F':' '{if ($2 == "") print $1 ;}'

• The subshell concatenates the local password file and the NIS passwd map; the awk script prints any username that does not have an entry in the password field of the password map.

• Consider configuring the system so that it cannot be booted single-user without supplying the root password. On Solaris 8, this is the default behavior, and can be overridden by adding this entry to /etc/default/sulogin:

  PASSREQ=NO  

  When the system is booted in single-user mode, the single-user shell will not be started until the user supplies the root password.

• Configure the system so that superuser can only log into the console, i.e., superuser cannot rlogin into the system. On Solaris 8, you do this by setting the CONSOLE variable in /etc/default/login:

  CONSOLE=/dev/console

• On Sun systems, the boot PROM itself can be used to enforce security. To enforce PROM security, change the security-mode parameter in the PROM to full:

  # eeprom security-mode=full

  No PROM commands can be entered without supplying the PROM password; when you change from security-mode=none to security-mode=full you will be prompted for the new PROM password. This is not the same as the root password, and serves as a redundant security check for systems that can be halted and booted by any user with access to the break or reset switches.

WARNING: There is no mechanism for removing the PROM security without supplying the PROM password. If you forget the PROM password after installing it, there is no software method for recovery, and you'll have to rely on Sun's customer service organization to recover!