summaryrefslogtreecommitdiffstats
path: root/gnu/usr.sbin
diff options
context:
space:
mode:
authorwpaul <wpaul@FreeBSD.org>1995-02-04 21:32:04 +0000
committerwpaul <wpaul@FreeBSD.org>1995-02-04 21:32:04 +0000
commita9318a2ce2af753619f08dc1ff1d96de22daaeb5 (patch)
treea6ffecc627cee860e5970d95e3c365716efecbdd /gnu/usr.sbin
parent472cc5aac8bf04dbc3a02a6382ed1cd8c092c9fd (diff)
downloadFreeBSD-src-a9318a2ce2af753619f08dc1ff1d96de22daaeb5.zip
FreeBSD-src-a9318a2ce2af753619f08dc1ff1d96de22daaeb5.tar.gz
Created manual page for ypserv and changed Makefile to install it.
Also tweaked server.c to support newer versions of tcpwrapper (log_tcp.h is now tcpd.h and FROM_UNKNOWN changed to STRING_UNKNOWN).
Diffstat (limited to 'gnu/usr.sbin')
-rw-r--r--gnu/usr.sbin/ypserv/Makefile4
-rw-r--r--gnu/usr.sbin/ypserv/server.c8
-rw-r--r--gnu/usr.sbin/ypserv/ypserv.8278
3 files changed, 286 insertions, 4 deletions
diff --git a/gnu/usr.sbin/ypserv/Makefile b/gnu/usr.sbin/ypserv/Makefile
index 02358bc..8ce36f6 100644
--- a/gnu/usr.sbin/ypserv/Makefile
+++ b/gnu/usr.sbin/ypserv/Makefile
@@ -1,4 +1,4 @@
-# $Id: Makefile,v 1.3 1995/02/03 03:41:38 wpaul Exp $
+# $Id: Makefile,v 1.4 1995/02/03 22:01:17 wpaul Exp $
# From: @(#)Makefile 8.3 (Berkeley) 4/2/94
PROG= ypserv
@@ -7,7 +7,7 @@ SRCS= dnslookup.c yp_svc.c yp_xdr.c server.c
CFLAGS+=-Wall -DTCP_WRAPPER=0 -DTCPW_FACILITY=LOG_AUTH
CFLAGS+=-DINSTDIR='"/usr/libexec"'
-MAN8=
+MAN8= ypserv.8
afterinstall: /var/yp/Makefile /usr/libexec/mknetid
diff --git a/gnu/usr.sbin/ypserv/server.c b/gnu/usr.sbin/ypserv/server.c
index 1ed70bc..bfa2e1a 100644
--- a/gnu/usr.sbin/ypserv/server.c
+++ b/gnu/usr.sbin/ypserv/server.c
@@ -24,7 +24,7 @@
** Ported to FreeBSD and hacked all to pieces
** by Bill Paul <wpaul@ctr.columbia.edu>
**
-** $Id$
+** $Id: server.c,v 1.1 1995/01/31 08:58:53 wpaul Exp $
**
*/
@@ -68,7 +68,7 @@ HASHINFO openinfo = {
};
#if TCP_WRAPPER
-#include "log_tcp.h"
+#include "tcpd.h"
int allow_severity=LOG_INFO;
int deny_severity=LOG_WARNING;
#endif
@@ -141,6 +141,10 @@ static int is_valid_host(struct sockaddr_in *sin)
h = (hp && hp->h_name) ? hp->h_name : NULL;
#endif
+#ifndef FROM_UNKNOWN
+#define FROM_UNKNOWN STRING_UNKNOWN
+#endif
+
status = hosts_ctl(progname,
h?h:FROM_UNKNOWN,
inet_ntoa(sin->sin_addr),
diff --git a/gnu/usr.sbin/ypserv/ypserv.8 b/gnu/usr.sbin/ypserv/ypserv.8
new file mode 100644
index 0000000..5b5ac91
--- /dev/null
+++ b/gnu/usr.sbin/ypserv/ypserv.8
@@ -0,0 +1,278 @@
+.\" Copyright (c) 1991, 1993
+.\" The Regents of the University of California. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\" must display the following acknowledgement:
+.\" This product includes software developed by the University of
+.\" California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 4, 1995
+.Dt YPSERV 8
+.Os
+.Sh NAME
+.Nm ypserv
+.Nd "NIS database server"
+.Sh SYNOPSIS
+.Nm ypserv
+.Op Fl dns
+.Op Fl debug
+.Op Fl p Ar port
+.Sh DESCRIPTION
+.Nm NIS
+is an RPC-based service designed to allow a number of UNIX-based
+machines to share a common set of configuration files. Rather than
+requiring a system administrator to update several copies of files
+such as
+.Pa /etc/hosts ,
+.Pa /etc/passwd
+and
+.Pa /etc/group ,
+which tend to require frequent changes in most environments, NIS
+allows groups of computers to share one set of data which can be
+updated from a single location.
+.Pp
+.Nm ypserv
+is the server that distributes NIS databases
+to client systems within an NIS
+.Nm domain.
+Each client in an NIS domain must have its domainname set to
+one of the domains served by
+.Nm ypserv
+using the
+.Xr domainname 2
+command. The clients must also run
+.Xr ypbind 8
+in order to attach to a particular server, since it is possible to
+have serveral servers within a single NIS domain.
+.Pp
+The databases distributed by
+.Nm ypserv
+are stored in
+.Pa /var/yp/[domainname]
+where
+.Pa domainname
+is the name of the domain being served. There can be several
+such directories with different domainnames, and
+.Nm ypserv
+cam handle them all.
+.Pp
+The databases, or
+.Pa maps
+as they are often called,
+are created by
+.Nm /var/yp/Makefile
+using several system files as source. The database files are in
+.Xr db 3
+format to help speed retrieval when there are many records involved.
+In FreeBSD, the
+maps are always readable and writable only by root for security
+reasons. Technically this is only necessary for the password
+maps, but since the data in the other maps can be found in
+other world-readable files anyway, it doesn't hurt and it's considered
+good general practice.
+.Pp
+.Nm ypserv
+is started by
+.Nm /etc/rc.local
+if it has been enabled in
+.Nm /etc/netstart.
+.Sh SPECIAL FEATURES
+There are some problems associated with distributing FreeBSD's password
+database via NIS: FreeBSD normally only stores encrypted passwords
+in
+.Pa /etc/master.passwd ,
+which is readable and writable only by root. By turning this file
+into an NIS map, this security feature would be completely defeated.
+.Pp
+To make up for this, the FreeBSD version of
+.Nm ypserv
+handles the
+.Pa master.passwd.byname
+and
+.Pa master.basswd.byuid
+maps in a special way. When the server receives a request to access
+either of these two maps, it will check the TCP port from which the
+request originated and return an error if the port number is greater
+than 1023. Since only the superuser is allowed to bind to TCP ports
+with values less than 1024, the server can use this test to determine
+whether or not the access request came from a privileged user.
+Any requests made by non-privileged users are therefore rejected.
+.Pp
+Furthermore, the
+.Xr getpwent 3
+routines in FreeBSD's standard C libarary will only attempt to retrieve
+data from the
+.Pa master.passwd.byname
+and
+.Pa master.passwd.byuid
+maps for the superuser: if a normal user calls any of these functions,
+the standard
+.Pa passwd.byname
+and
+.Pa passwd.byuid
+maps will be accessed instead. The latter two maps are constructed by
+.Nm /var/yp/Makefile
+by parsing the
+.Pa master.passwd
+file and stripping out the password fields, and are therefore
+safe to pass on to unprivileged users. In this way, the shadow password
+aspect of the protected
+.Pa master.passwd
+database is maintained through NIS.
+.Pp
+.Sh NOTES
+.Ss Limitations
+There are two problems inherent with password shadowing in NIS
+that users should
+be aware of:
+.Bl -enum -offset indent
+.It
+The 'TCP port less than 1024' test is trivial to defeat for users with
+unrestricted access to machines on your network (even those machines
+which do not run UNIX-based operating systems).
+.It
+If you plan to use a FreeBSD system to serve non-FreeBSD clients that
+have no support for password shadowing (which is most of them), you
+will have to disable the password shadowing entirely by uncommenting the
+.Nm UNSECURE=True
+entry in
+.Nm /var/yp/Makefile .
+This will cause the standard
+.Pa passwd.byname
+and
+.Pa passwd.byuid
+maps to be generated with valid encrypted password fields, which is
+neccesary in order for non-FreeBSD clients to perform user
+authentication through NIS.
+.El
+.Pp
+.Ss Security
+.Nm ypserv
+has support for Wietse Venema's
+.Pa tcpwrapper
+package built in, though it is not compiled in by default since
+the
+.Pa tcpwrapper
+package is not distributed with FreeBSD. However, if you have
+.Nm libwrap.a
+and
+.Nm tcpd.h ,
+you can easily recompile
+.Nm ypserv
+with them, thereby enabling its 'securenets' features: you can
+configure
+.Nm ypserv
+to only handle resquests from machines listed
+in the
+.Pa tcpwrapper
+configuration files, which would help limit vulnerability to the
+first limitation listed above.
+.Pp
+.Ss NIS servers that are also NIS clients
+Care must be taken when running
+.Nm ypserv
+in a multi-server domain where the server machines are also
+NIS clients. It is generally a good idea to force the servers to
+bind to themselves rather than allowing them to broadcast bind
+requests and possibly become bound to each other: strange failure
+modes can result if one server goes down and
+others are dependent upon on it. (Eventually all the clients will
+time out and attempt to bind to other servers, but the delay
+involved can be considerable and the failure mode is still present
+since the servers might bind to each other all over again).
+.Pp
+Refer to the
+.Xr ypbind 8
+man page for details on how to force it to bind to a particular
+server.
+.Sh OPTIONS
+The following options are supported by
+.Nm ypserv :
+.Bl -tag -width flag
+.It Fl dns
+This option affects the way
+.Nm ypserv
+handles yp_match requests for the
+.Pa hosts.byname
+and
+.Pa hosts.byaddress
+maps. By default, if
+.Nm ypserv
+can't find an entry for a given host in its hosts maps, it will
+return an error and perform no further processing. With the
+.Fl dns
+flag,
+.Nm ypserv
+will go one step further: rather than giving up immediately, it
+will try to resolve the hostname or address using a DNS query.
+If the query is successful,
+.Nm ypserv
+will construct a fake database record and return it to the client,
+thereby making it seem as though the client's yp_match request
+succeeded.
+.Pp
+This functionality is provided for compatiblity with SunOS 4.1.x,
+which has brain-damaged resolver functions in its standard C
+library that depend on NIS for hostname and address resolution.
+FreeBSD's resolver can be configured to do DNS
+queries directly, therefore it is not necessary to enable this
+option when serving only FreeBSD NIS clients.
+.It Fl debug
+Run the server in debugging mode: the server does not background
+itself and prints copious debugging output to stderr for
+each
+request that it revceives.
+.It Fl p Ar port
+Normally,
+.Nm ypserv
+will bind itself to a randomly chosen TCP port when it is first
+started. This option can be used to force the server to bind to
+a particular port instead.
+.El
+.Sh FILES
+.Bl -tag -width Pa -compact
+.It Pa /var/yp/[domainname]/[maps]
+The NIS maps.
+.It Pa /etc/host.conf
+Resolver configuration file.
+.El
+.Sh SEE ALSO
+.Xr ypbind 8 ,
+.Xr yppasswdd 8 ,
+.Xr yppush 8 ,
+.Xr ypxfr 8 ,
+.Xr ypcat 1 ,
+.Xr yp 8 ,
+.Xr db 3
+.Sh LICENSE
+This program is covered by the GNU Public License version 2.
+.Sh AUTHOR
+Peter Eriksson <pem@signum.se> (original Linux version)
+.br
+Bill Paul <wpaul@ctr.columbia.edu> (port to FreeBSD and various
+changes)
OpenPOWER on IntegriCloud