Limiting Access to the Passwd Column to Owners and Administrators

This task describes how to limit read access to the password-related columns of the passwd table to the entry owner and the table administrators, without affecting the read access of other authenticated principals (including applications) to the remaining columns of the passwd table.

This task establishes the following rights:

                         Nobody  Owner   Group  World
Table Level Rights:      ----    rmcd    rmcd   ----
Passwd Column Rights:    ----    rm--    rmcd   ----
Shadow Column Rights:    ----    rm--    rmcd   ----

Passwd Column Security Considerations

• The domain must not be running in NIS-compatibility mode.

• All clients of the domain must have DES credentials.

• All clients of the domain must be running Solaris Release 2.3 or a later release.

• Users' network passwords (used to encrypt their DES credentials) must be the same directory as their login passwords.

Prerequisites

• The passwd table must have already been set up. It need not have any information in it, however.

• The NIS+ principal performing this task must have modify rights to the passwd table.

Information You Need

All you need is the name of the passwd table.

How to Limit Read Access to the Passwd Column

1. Log in to the domain's master server.

   The examples in this task use the root master server, rootmaster.

2. Check the current table and column permissions.

   Use the niscat -o command.

   rootmaster# niscat -o passwd.org_dir

   This task assumes the existing permissions are:

   Access Rights : ----rmcdrmcdr--- Columns : [0] Name : name Access Rights : r-----------r--- [1] Name : passwd Access Rights : -----m---------- [2] Name : uid Access Rights : r-----------r--- [3] Name : gid Access Rights : r-----------r--- [4] Name : gcos Access Rights : r----m------r--- [5] Name : home Access Rights : r-----------r--- [6] Name : shell Access Rights : r-----------r--- [7] Name : shadow Access Rights : r-----------r---

   If your permissions are different, you may need to use a different syntax. For instructions, see the rights chapter of Solaris Naming Administration Guide.

3. Change the table permissions.

   Use the nischmod command to change the table's object-level permissions to ---- rmcdrmcd ----

   rootmaster# nischmod og=rmcd,nw= passwd.org_dir

4. Change the column permissions.

   Use the nistbladm command with the -u option to change the permissions of the passwd and shadow columns to:

   passwd ---- rm-- ---- ---- shadow ---- r--- ---- ---- rootmaster# nistbladm -u passwd=o+r, shadow=o+r passwd.org_dir

5. Verify the new permissions.

   Use the niscat -o command as you did in Step 2. The permissions should look the same as they do in that step's output.