Network Information Service

Network Information Service (NIS) [SUN90b], formerly called Yellow Pages (YP), is a distributed database system that lets systems share password files, group files, host tables, and other files over the network. NIS simplifies the management of a network because all of the account and configuration information is reconstructed and stored on a single computer, the NIS master server. NIS is included with SunOS, most SVR4 UNIX systems, and many other flavors of UNIX.

Shared NIS database files are called maps and hosts that belong to the same NIS domain share the same set of maps. NIS slave servers, which obtain up-to-date copies of the maps from the NIS master server, are used to provide information when the NIS master server is down. Although NIS simplifies the task of system administration, it also presents several security problems when it is not securely configured.

NIS naming services were originally designed to address the administration requirements of client/server networks in the 1980s. Such networks had specific characteristics, including [JS92]:

• Their size seldom exceeded a few hundred multivendor client desktops and a few general-purpose servers.
• They spanned at most a few geographically remote sites.
• They had friendly, trusted, and sophisticated users and security was not an issue.

Since NIS was not designed to address security requirements, NIS is susceptible to abuse. The following is a list of threats associated with using NIS [Cur92]. Section 10.2.10 discusses methods which can be taken to avoid potential security problems with NIS.

• The file hosts.equiv is one of the many files that can be controlled with NIS. Systems that come with NIS software from Sun Microsystems are distributed with the default hosts.equiv file containing a ``+'' as its single entry. This is a threat because the default hosts.equiv file considers all hosts to be trusted.

• NIS works by having either of the lines ``+::0:0:::'' or ``+:'' in the password or group file. When a program reads the password or group file and encounters a line with a ``+'' as the first character, the plus sign indicates that the program needs to ask the NIS server for the remainder of the file. Using the ``+::0:0:::'' format is a threat because for some systems, if the leading ``+'' is carelessly deleted, an attacker can log in with a null login name and gain superuser access to the system.

• The ypset command can be used to tell a process called ypbind that NIS requests should be sent to a specific host. This feature was designed to allow debugging and to allow hosts that are not on a network with an NIS server to use NIS. The ypset command presents a security problem because it can be used to direct requests to a fake NIS server.

• Certain versions of NIS map-building procedures leave the maps world-writeable. World-writeable maps pose a threat because anyone is capable of changing the contents of the maps to invalid information.

• Any user is capable of obtaining copies of the databases exported by a NIS server. This can result in unintended disclosure of the distributed password file and all the other information contained in the NIS database.

Network Information Services Plus (NIS+), incorporated into Solaris 2.0 (SunOS 5.0), replaces NIS. NIS+ enhancements include support for hierarchical domain names, use of a new database model, and changes to the NIS authentication and authorization model [JS92]. NIS+ contains security aspects lacking in NIS.