diff options
author | wpaul <wpaul@FreeBSD.org> | 1995-02-04 21:32:04 +0000 |
---|---|---|
committer | wpaul <wpaul@FreeBSD.org> | 1995-02-04 21:32:04 +0000 |
commit | a9318a2ce2af753619f08dc1ff1d96de22daaeb5 (patch) | |
tree | a6ffecc627cee860e5970d95e3c365716efecbdd /gnu/usr.sbin | |
parent | 472cc5aac8bf04dbc3a02a6382ed1cd8c092c9fd (diff) | |
download | FreeBSD-src-a9318a2ce2af753619f08dc1ff1d96de22daaeb5.zip FreeBSD-src-a9318a2ce2af753619f08dc1ff1d96de22daaeb5.tar.gz |
Created manual page for ypserv and changed Makefile to install it.
Also tweaked server.c to support newer versions of tcpwrapper (log_tcp.h
is now tcpd.h and FROM_UNKNOWN changed to STRING_UNKNOWN).
Diffstat (limited to 'gnu/usr.sbin')
-rw-r--r-- | gnu/usr.sbin/ypserv/Makefile | 4 | ||||
-rw-r--r-- | gnu/usr.sbin/ypserv/server.c | 8 | ||||
-rw-r--r-- | gnu/usr.sbin/ypserv/ypserv.8 | 278 |
3 files changed, 286 insertions, 4 deletions
diff --git a/gnu/usr.sbin/ypserv/Makefile b/gnu/usr.sbin/ypserv/Makefile index 02358bc..8ce36f6 100644 --- a/gnu/usr.sbin/ypserv/Makefile +++ b/gnu/usr.sbin/ypserv/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile,v 1.3 1995/02/03 03:41:38 wpaul Exp $ +# $Id: Makefile,v 1.4 1995/02/03 22:01:17 wpaul Exp $ # From: @(#)Makefile 8.3 (Berkeley) 4/2/94 PROG= ypserv @@ -7,7 +7,7 @@ SRCS= dnslookup.c yp_svc.c yp_xdr.c server.c CFLAGS+=-Wall -DTCP_WRAPPER=0 -DTCPW_FACILITY=LOG_AUTH CFLAGS+=-DINSTDIR='"/usr/libexec"' -MAN8= +MAN8= ypserv.8 afterinstall: /var/yp/Makefile /usr/libexec/mknetid diff --git a/gnu/usr.sbin/ypserv/server.c b/gnu/usr.sbin/ypserv/server.c index 1ed70bc..bfa2e1a 100644 --- a/gnu/usr.sbin/ypserv/server.c +++ b/gnu/usr.sbin/ypserv/server.c @@ -24,7 +24,7 @@ ** Ported to FreeBSD and hacked all to pieces ** by Bill Paul <wpaul@ctr.columbia.edu> ** -** $Id$ +** $Id: server.c,v 1.1 1995/01/31 08:58:53 wpaul Exp $ ** */ @@ -68,7 +68,7 @@ HASHINFO openinfo = { }; #if TCP_WRAPPER -#include "log_tcp.h" +#include "tcpd.h" int allow_severity=LOG_INFO; int deny_severity=LOG_WARNING; #endif @@ -141,6 +141,10 @@ static int is_valid_host(struct sockaddr_in *sin) h = (hp && hp->h_name) ? hp->h_name : NULL; #endif +#ifndef FROM_UNKNOWN +#define FROM_UNKNOWN STRING_UNKNOWN +#endif + status = hosts_ctl(progname, h?h:FROM_UNKNOWN, inet_ntoa(sin->sin_addr), diff --git a/gnu/usr.sbin/ypserv/ypserv.8 b/gnu/usr.sbin/ypserv/ypserv.8 new file mode 100644 index 0000000..5b5ac91 --- /dev/null +++ b/gnu/usr.sbin/ypserv/ypserv.8 @@ -0,0 +1,278 @@ +.\" Copyright (c) 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id$ +.\" +.Dd February 4, 1995 +.Dt YPSERV 8 +.Os +.Sh NAME +.Nm ypserv +.Nd "NIS database server" +.Sh SYNOPSIS +.Nm ypserv +.Op Fl dns +.Op Fl debug +.Op Fl p Ar port +.Sh DESCRIPTION +.Nm NIS +is an RPC-based service designed to allow a number of UNIX-based +machines to share a common set of configuration files. Rather than +requiring a system administrator to update several copies of files +such as +.Pa /etc/hosts , +.Pa /etc/passwd +and +.Pa /etc/group , +which tend to require frequent changes in most environments, NIS +allows groups of computers to share one set of data which can be +updated from a single location. +.Pp +.Nm ypserv +is the server that distributes NIS databases +to client systems within an NIS +.Nm domain. +Each client in an NIS domain must have its domainname set to +one of the domains served by +.Nm ypserv +using the +.Xr domainname 2 +command. The clients must also run +.Xr ypbind 8 +in order to attach to a particular server, since it is possible to +have serveral servers within a single NIS domain. +.Pp +The databases distributed by +.Nm ypserv +are stored in +.Pa /var/yp/[domainname] +where +.Pa domainname +is the name of the domain being served. There can be several +such directories with different domainnames, and +.Nm ypserv +cam handle them all. +.Pp +The databases, or +.Pa maps +as they are often called, +are created by +.Nm /var/yp/Makefile +using several system files as source. The database files are in +.Xr db 3 +format to help speed retrieval when there are many records involved. +In FreeBSD, the +maps are always readable and writable only by root for security +reasons. Technically this is only necessary for the password +maps, but since the data in the other maps can be found in +other world-readable files anyway, it doesn't hurt and it's considered +good general practice. +.Pp +.Nm ypserv +is started by +.Nm /etc/rc.local +if it has been enabled in +.Nm /etc/netstart. +.Sh SPECIAL FEATURES +There are some problems associated with distributing FreeBSD's password +database via NIS: FreeBSD normally only stores encrypted passwords +in +.Pa /etc/master.passwd , +which is readable and writable only by root. By turning this file +into an NIS map, this security feature would be completely defeated. +.Pp +To make up for this, the FreeBSD version of +.Nm ypserv +handles the +.Pa master.passwd.byname +and +.Pa master.basswd.byuid +maps in a special way. When the server receives a request to access +either of these two maps, it will check the TCP port from which the +request originated and return an error if the port number is greater +than 1023. Since only the superuser is allowed to bind to TCP ports +with values less than 1024, the server can use this test to determine +whether or not the access request came from a privileged user. +Any requests made by non-privileged users are therefore rejected. +.Pp +Furthermore, the +.Xr getpwent 3 +routines in FreeBSD's standard C libarary will only attempt to retrieve +data from the +.Pa master.passwd.byname +and +.Pa master.passwd.byuid +maps for the superuser: if a normal user calls any of these functions, +the standard +.Pa passwd.byname +and +.Pa passwd.byuid +maps will be accessed instead. The latter two maps are constructed by +.Nm /var/yp/Makefile +by parsing the +.Pa master.passwd +file and stripping out the password fields, and are therefore +safe to pass on to unprivileged users. In this way, the shadow password +aspect of the protected +.Pa master.passwd +database is maintained through NIS. +.Pp +.Sh NOTES +.Ss Limitations +There are two problems inherent with password shadowing in NIS +that users should +be aware of: +.Bl -enum -offset indent +.It +The 'TCP port less than 1024' test is trivial to defeat for users with +unrestricted access to machines on your network (even those machines +which do not run UNIX-based operating systems). +.It +If you plan to use a FreeBSD system to serve non-FreeBSD clients that +have no support for password shadowing (which is most of them), you +will have to disable the password shadowing entirely by uncommenting the +.Nm UNSECURE=True +entry in +.Nm /var/yp/Makefile . +This will cause the standard +.Pa passwd.byname +and +.Pa passwd.byuid +maps to be generated with valid encrypted password fields, which is +neccesary in order for non-FreeBSD clients to perform user +authentication through NIS. +.El +.Pp +.Ss Security +.Nm ypserv +has support for Wietse Venema's +.Pa tcpwrapper +package built in, though it is not compiled in by default since +the +.Pa tcpwrapper +package is not distributed with FreeBSD. However, if you have +.Nm libwrap.a +and +.Nm tcpd.h , +you can easily recompile +.Nm ypserv +with them, thereby enabling its 'securenets' features: you can +configure +.Nm ypserv +to only handle resquests from machines listed +in the +.Pa tcpwrapper +configuration files, which would help limit vulnerability to the +first limitation listed above. +.Pp +.Ss NIS servers that are also NIS clients +Care must be taken when running +.Nm ypserv +in a multi-server domain where the server machines are also +NIS clients. It is generally a good idea to force the servers to +bind to themselves rather than allowing them to broadcast bind +requests and possibly become bound to each other: strange failure +modes can result if one server goes down and +others are dependent upon on it. (Eventually all the clients will +time out and attempt to bind to other servers, but the delay +involved can be considerable and the failure mode is still present +since the servers might bind to each other all over again). +.Pp +Refer to the +.Xr ypbind 8 +man page for details on how to force it to bind to a particular +server. +.Sh OPTIONS +The following options are supported by +.Nm ypserv : +.Bl -tag -width flag +.It Fl dns +This option affects the way +.Nm ypserv +handles yp_match requests for the +.Pa hosts.byname +and +.Pa hosts.byaddress +maps. By default, if +.Nm ypserv +can't find an entry for a given host in its hosts maps, it will +return an error and perform no further processing. With the +.Fl dns +flag, +.Nm ypserv +will go one step further: rather than giving up immediately, it +will try to resolve the hostname or address using a DNS query. +If the query is successful, +.Nm ypserv +will construct a fake database record and return it to the client, +thereby making it seem as though the client's yp_match request +succeeded. +.Pp +This functionality is provided for compatiblity with SunOS 4.1.x, +which has brain-damaged resolver functions in its standard C +library that depend on NIS for hostname and address resolution. +FreeBSD's resolver can be configured to do DNS +queries directly, therefore it is not necessary to enable this +option when serving only FreeBSD NIS clients. +.It Fl debug +Run the server in debugging mode: the server does not background +itself and prints copious debugging output to stderr for +each +request that it revceives. +.It Fl p Ar port +Normally, +.Nm ypserv +will bind itself to a randomly chosen TCP port when it is first +started. This option can be used to force the server to bind to +a particular port instead. +.El +.Sh FILES +.Bl -tag -width Pa -compact +.It Pa /var/yp/[domainname]/[maps] +The NIS maps. +.It Pa /etc/host.conf +Resolver configuration file. +.El +.Sh SEE ALSO +.Xr ypbind 8 , +.Xr yppasswdd 8 , +.Xr yppush 8 , +.Xr ypxfr 8 , +.Xr ypcat 1 , +.Xr yp 8 , +.Xr db 3 +.Sh LICENSE +This program is covered by the GNU Public License version 2. +.Sh AUTHOR +Peter Eriksson <pem@signum.se> (original Linux version) +.br +Bill Paul <wpaul@ctr.columbia.edu> (port to FreeBSD and various +changes) |