Add securenets support (uses same access control mechanism as ypserv,

also controlled by /var/yp/securenets).

Add -u flag to turn off the privileged port check done by yp_access();
some commercial systems (IRIX, Solaris 2.x, HP-UX, and probably others)
don't use a reserved port for submitting yppasswd updates. If we always
enforce the check, these client systems will be unable to submit updates
to us.

Document securenets support and -u flag in man page.

Like ypserv, you can compile rpc.yppasswdd to use the tcpwrapper package
instead of securenets if you want to.

1 files changed, 8 insertions, 2 deletions

diff --git a/usr.sbin/rpc.yppasswdd/yppasswdd_server.c b/usr.sbin/rpc.yppasswdd/yppasswdd_server.c
index fa2551a..205ca77 100644
--- a/usr.sbin/rpc.yppasswdd/yppasswdd_server.c
+++ b/usr.sbin/rpc.yppasswdd/yppasswdd_server.c
@@ -29,7 +29,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: yppasswdd_server.c,v 1.8 1996/02/09 04:38:19 wpaul Exp $
+ *	$Id: yppasswdd_server.c,v 1.11 1996/02/24 21:41:15 wpaul Exp $
  */
 
 #include <stdio.h>
@@ -60,7 +60,7 @@ struct dom_binding {};
 #include "yppasswd_comm.h"
 
 #ifndef lint
-static const char rcsid[] = "$Id: yppasswdd_server.c,v 1.8 1996/02/09 04:38:19 wpaul Exp $";
+static const char rcsid[] = "$Id: yppasswdd_server.c,v 1.11 1996/02/24 21:41:15 wpaul Exp $";
 #endif /* not lint */
 
 char *tempname;
@@ -338,6 +338,12 @@ yppasswdproc_update_1_svc(yppasswd *argp, struct svc_req *rqstp)
 
 	rqhost = svc_getcaller(rqstp->rq_xprt);
 
+	if (yp_access(resvport ? "master.passwd.byname" : NULL, rqstp)) {
+		yp_error("rejected update request from unauthorized host");
+		svcerr_auth(rqstp->rq_xprt, AUTH_BADCRED);
+		return(&result);
+	}
+
 	/*
 	 * Step one: find the user. (It's kinda pointless to
 	 * proceed if the user doesn't exist.) We look for the