The Local Domain and NetInfo

The local domain is the default directory domain of the system. It consists of the following parts:

  • The local NetInfo database that is created when the operating system is first installed. It is located in the /var/db/netinfo directory.

  • The local Shadow Password database , created when the operating system is first installed, located in the /var/db/shadow directory.

  • Bonjour, SLP, and SMB for discovery of shared filesystems and other network services.

The Shadow Password database was a new feature in Panther. In prior versions of Mac OS X, the passwords were encrypted (using the crypt command-line tool) into a hash form and stored directly in the NetInfo database. However, because the information in the NetInfo database is available to anybody on the machine, the passwords were vulnerable to decryption attempts. All you had to do was dump out the NetInfo database (you’ll see the commands to do that later in this chapter) to a flat file and then run any number of password-cracking utilities against the file. You could even do so on a separate machine once you had the flat file.

The Shadow Password database changes this, locking passwords into a directory where they can be accessed only by the root user of the system, thereby closing this security vulnerability. When the system needs to authenticate a user, Open Directory looks at the user’s NetInfo record, sees that the password is in the Shadow Password database, and then compares the information given to ...

Get Running Mac OS X Tiger now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.