Re: securityhole /proc/sys/kernel/domainname

eichin@mit.edu
Wed, 21 Feb 96 18:12:18 EST


Actually, in the MIT Athena environment, things work reasonably well
without the ability to do getpwent. getpwnam and getpwuid are done
through Hesiod (kind of like NIS except that it is based on DNS, so
you actually have a working distribution system.)

The only feature that is actually *missed* is being able to hit ~<TAB>
in tcsh and get completion... but really, with over 10K user accounts,
do you *want* that to work? :-)

The optimized ls postulated would work as well (or better) by simply
caching the getpwuid returns -- so you only cached the things you
really found. (Though the local named caching works pretty well for
that, the hesiod mods in ls at athena seem fast enough...)

In conclusion, getpwent just isn't that important. Still, hiding the
domainname probably doesn't help that much in practice, if you're
running portmap at all there's probably some way to get at it :-) But
then again, it also keeps people from making the mistake of assuming
hostname+NIS-domainname => FQDN...