local authentication spoofing using libnss-ldap

From: Yann Autissier <yann_at_nospam>
Date: Thu Dec 22 2011 - 16:01:20 GMT
To: debian-security@lists.debian.org

Hi List,

I am using the libnss-ldap and libpam-ldap packages with default configuration.

NSS is configured to allow passwd and group resolution over ldap.

user@host:~$ cat /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap

If a user account exists in local /etc/passwd and in the ldap database, the user
can authenticate with both passwords, but is always logged in as the local user.

It seems to mee that nss should resolve the correct uid.

I can create a ldap account named 'root', with a weak password and uid 12345,
then su - on the system and log in as root with the weak password, and get uid 0.

It's not debian related, but I would like to know if this is a misconfiguration.

Any advice ?

Regards,
Yann

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/4EF35450.10603@autissier.net

This message: [ Message body ]
Next message: Vincent Bernat: "Re: [pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update"
Previous message: Josselin Mouette: "libmozjs and gnome-shell"
Next in thread: Mariusz Kruk: "Re: local authentication spoofing using libnss-ldap"
Reply: Mariusz Kruk: "Re: local authentication spoofing using libnss-ldap"
Reply: Arthur de Jong: "Re: local authentication spoofing using libnss-ldap"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]