Add support for handling the YP_SECURE and YP_INTERDOMAIN keys from

any maps that may have them. If the YP_SECURE key is present, ypserv
will only allow access to the map from clients on reserved ports.
If the YP_INTERDOMAIN key is present, the server will do DNS lookups
for hostnames that it can't find in hosts.byname or hosts.byaddr.
This is the same as the -d flag (which is retained for backwards
compatibility) but it can be set on a per-map/per-domain basis.

Also modified /var/yp/Makefile to add YP_INTERDOMAIN to the hosts.*
maps and YP_SECURE to master.passwd.* maps by default.

5 files changed, 164 insertions, 20 deletions

diff --git a/usr.sbin/ypserv/Makefile.yp b/usr.sbin/ypserv/Makefile.yp
index a540cbd..3a73531 100644
--- a/usr.sbin/ypserv/Makefile.yp
+++ b/usr.sbin/ypserv/Makefile.yp
@@ -1,7 +1,7 @@
 #
 # Makefile for the NIS databases
 #
-# $Id: Makefile.yp,v 1.11 1996/07/25 19:32:37 peter Exp $
+# $Id: Makefile.yp,v 1.12 1996/08/09 17:55:18 adam Exp $
 #
 # This Makefile should only be run on the NIS master server of a domain.
 # All updated maps will be pushed to all NIS slave servers listed in the
@@ -29,6 +29,17 @@ NOPUSH = "True"
 # 
 #UNSECURE = "True"
 
+# The following line encodes the YP_INTERDOMAIN key into the hosts.byname
+# and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve
+# hosts not in the current domain. Commenting this line out will disable
+# the DNS lookups.
+B=-b
+
+# Normally, the master.passwd.* maps are guarded against access from
+# non-privileged users. By commenting out the following line, the YP_SECURE
+# key will be removed from these maps, allowing anyone to access them.
+S=-s
+
 # These are commands which this Makefile needs to properly rebuild the
 # NIS databases. Don't change these unless you have a good reason. Also
 # be sure not to place an @ in front of /usr/bin/awk: it isn't necessary
diff --git a/usr.sbin/ypserv/yp_access.c b/usr.sbin/ypserv/yp_access.c
index 5111788..69d848e 100644
--- a/usr.sbin/ypserv/yp_access.c
+++ b/usr.sbin/ypserv/yp_access.c
@@ -208,8 +208,15 @@ void load_securenets()
  * it.
  */
 
+#ifdef DB_CACHE
+int yp_access(map, domain, rqstp)
+#else
 int yp_access(map, rqstp)
+#endif
 	const char *map;
+#ifdef DB_CACHE
+	const char *domain;
+#endif
 	const struct svc_req *rqstp;
 {
 	struct sockaddr_in *rqhost;
@@ -249,7 +256,11 @@ possible spoof attempt from %s:%d",
 				map, inet_ntoa(rqhost->sin_addr),
 				ntohs(rqhost->sin_port));
 		}
+#ifdef DB_CACHE
+		if ((yp_testflag((char *)map, (char *)domain, YP_SECURE) ||
+#else
 		if ((strstr(map, "master.passwd.") ||
+#endif
 		    (rqstp->rq_prog == YPPROG &&
 		     rqstp->rq_proc == YPPROC_XFR) ||
 		    (rqstp->rq_prog == YPXFRD_FREEBSD_PROG &&
diff --git a/usr.sbin/ypserv/yp_dblookup.c b/usr.sbin/ypserv/yp_dblookup.c
index ac19571..a55acb8 100644
--- a/usr.sbin/ypserv/yp_dblookup.c
+++ b/usr.sbin/ypserv/yp_dblookup.c
@@ -29,7 +29,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: yp_dblookup.c,v 1.4 1996/07/07 19:04:33 wpaul Exp $
+ *	$Id: yp_dblookup.c,v 1.4 1996/07/07 19:04:33 wpaul Exp wpaul $
  *
  */
 #include <stdio.h>
@@ -47,7 +47,7 @@
 #include "yp_extern.h"
 
 #ifndef lint
-static const char rcsid[] = "$Id: yp_dblookup.c,v 1.4 1996/07/07 19:04:33 wpaul Exp $";
+static const char rcsid[] = "$Id: yp_dblookup.c,v 1.4 1996/07/07 19:04:33 wpaul Exp wpaul $";
 #endif
 
 int ypdb_debug = 0;
@@ -77,6 +77,7 @@ struct dbent {
 	char *name;
 	char *key;
 	int size;
+	int flags;
 };
 
 static CIRCLEQ_HEAD(circlehead, circleq_entry) qhead;
@@ -193,6 +194,65 @@ void yp_flush_all()
 	return;
 }
 
+static char *inter_string = "YP_INTERDOMAIN";
+static char *secure_string = "YP_SECURE";
+static int inter_sz = sizeof("YP_INTERDOMAIN") - 1;
+static int secure_sz = sizeof("YP_SECURE") - 1;
+
+static int yp_setflags(dbp)
+	DB *dbp;
+{
+	DBT key = { NULL, 0 }, data = { NULL, 0 };
+	int flags = 0;
+
+	key.data = inter_string;
+	key.size = inter_sz;
+
+	if (!(dbp->get)(dbp, &key, &data, 0))
+		flags |= YP_INTERDOMAIN;
+
+	key.data = secure_string;
+	key.size = secure_sz;
+
+	if (!(dbp->get)(dbp, &key, &data, 0))
+		flags |= YP_SECURE;
+
+	return(flags);
+}
+
+int yp_testflag(map, domain, flag)
+	char *map;
+	char *domain;
+	int flag;
+{
+	char buf[MAXPATHLEN + 2];
+	register struct circleq_entry *qptr;
+
+	if (map == NULL || domain == NULL)
+		return(0);
+
+	strcpy(buf, domain);
+	strcat(buf, "/");
+	strcat(buf, map);
+
+	for (qptr = qhead.cqh_first; qptr != (void *)&qhead;
+						qptr = qptr->links.cqe_next) {
+		if (!strcmp(qptr->dbptr->name, buf)) {
+			if (qptr->dbptr->flags & flag)
+				return(1);
+			else
+				return(0);
+		}
+	}
+
+	if (yp_open_db_cache(domain, map, NULL, 0) == NULL)
+		return(0);
+
+	if (qhead.cqh_first->dbptr->flags & flag)
+		return(1);
+
+	return(0);
+}
 
 /*
  * Add a DB handle and database name to the cache. We only maintain
@@ -227,6 +287,8 @@ static int yp_cache_db(dbp, name, size)
 	qptr->dbptr->size = size;
 	qptr->dbptr->key = NULL;
 
+	qptr->dbptr->flags = yp_setflags(dbp);
+
 	CIRCLEQ_INSERT_HEAD(&qhead, qptr, links);
 	numdbs++;
 
diff --git a/usr.sbin/ypserv/yp_extern.h b/usr.sbin/ypserv/yp_extern.h
index aa7529c..5c07172 100644
--- a/usr.sbin/ypserv/yp_extern.h
+++ b/usr.sbin/ypserv/yp_extern.h
@@ -29,7 +29,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: yp_extern.h,v 1.2 1996/04/21 21:34:02 wpaul Exp wpaul $
+ *	$Id: yp_extern.h,v 1.4 1996/04/28 04:38:50 wpaul Exp $
  */
 #include <stdio.h>
 #include <string.h>
@@ -40,6 +40,7 @@
 #include <db.h>
 #include <rpc/rpc.h>
 
+
 #ifndef _PATH_YP
 #define _PATH_YP "/var/yp/"
 #endif
@@ -52,6 +53,9 @@
 #define MAX_CHILDREN 20
 #endif
 
+#define YP_SECURE 0x1
+#define YP_INTERDOMAIN 0x2
+
 /*
  * External functions and variables.
  */
@@ -69,10 +73,15 @@ extern int	yp_first_record __P((const DB *, DBT *, DBT *, int));
 extern int	yp_next_record __P((const DB *, DBT *, DBT *, int, int));
 extern char	*yp_dnsname __P(( char * ));
 extern char	*yp_dnsaddr __P(( const char * ));
+#ifdef DB_CACHE
+extern int	yp_access __P((const char *, const char *, const struct svc_req * ));
+#else
 extern int	yp_access __P((const char *, const struct svc_req * ));
+#endif
 extern int	yp_validdomain __P((const char * ));
 extern DB	*yp_open_db __P(( const char *, const char *));
 extern DB	*yp_open_db_cache __P(( const char *, const char *, const char *, int ));
 extern void	yp_flush_all __P(( void ));
 extern void	yp_init_dbs __P(( void ));
+extern int	yp_testflag __P(( char *, char *, int ));
 extern void	load_securenets __P(( void ));
diff --git a/usr.sbin/ypserv/yp_server.c b/usr.sbin/ypserv/yp_server.c
index ee93651..9c9fe30 100644
--- a/usr.sbin/ypserv/yp_server.c
+++ b/usr.sbin/ypserv/yp_server.c
@@ -50,9 +50,11 @@ static const char rcsid[] = "$Id: yp_server.c,v 1.10 1996/05/31 16:01:51 wpaul E
 
 int forked = 0;
 int children = 0;
-DB *spec_dbp = NULL;	/* Special global DB handle for ypproc_all. */
-char *master_string = "YP_MASTER_NAME";
-char *order_string = "YP_LAST_MODIFIED";
+static DB *spec_dbp = NULL;	/* Special global DB handle for ypproc_all. */
+static char *master_string = "YP_MASTER_NAME";
+static char *order_string = "YP_LAST_MODIFIED";
+static int master_sz = sizeof("YP_MASTER_NAME") - 1;
+static int order_sz = sizeof("YP_LAST_MODIFIED") - 1;
 
 /*
  * NIS v2 support. This is where most of the action happens.
@@ -64,7 +66,11 @@ ypproc_null_2_svc(void *argp, struct svc_req *rqstp)
 	static char * result;
 	static char rval = 0;
 
+#ifdef DB_CACHE
+	if (yp_access(NULL, NULL, (struct svc_req *)rqstp))
+#else
 	if (yp_access(NULL, (struct svc_req *)rqstp))
+#endif
 		return(NULL);
 
 	result = &rval;
@@ -77,7 +83,11 @@ ypproc_domain_2_svc(domainname *argp, struct svc_req *rqstp)
 {
 	static bool_t  result;
 
+#ifdef DB_CACHE
+	if (yp_access(NULL, NULL, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(NULL, (struct svc_req *)rqstp)) {
+#endif
 		result = FALSE;
 		return (&result);
 	}
@@ -95,7 +105,11 @@ ypproc_domain_nonack_2_svc(domainname *argp, struct svc_req *rqstp)
 {
 	static bool_t  result;
 
+#ifdef DB_CACHE
+	if (yp_access(NULL, NULL, (struct svc_req *)rqstp))
+#else
 	if (yp_access(NULL, (struct svc_req *)rqstp))
+#endif
 		return (NULL);
 
 	if (argp == NULL || yp_validdomain(*argp))
@@ -114,8 +128,12 @@ ypproc_match_2_svc(ypreq_key *argp, struct svc_req *rqstp)
 
 	result.val.valdat_val = "";
 	result.val.valdat_len = 0;
-	
+
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return (&result);
 	}
@@ -138,7 +156,13 @@ ypproc_match_2_svc(ypreq_key *argp, struct svc_req *rqstp)
 	 * Do DNS lookups for hosts maps if database lookup failed.
 	 */
 
+#ifdef DB_CACHE
+	if (result.stat != YP_TRUE &&
+	    (yp_testflag(argp->map, argp->domain, YP_INTERDOMAIN) ||
+	    (strstr(argp->map, "hosts") && do_dns))) {
+#else
 	if (do_dns && result.stat != YP_TRUE && strstr(argp->map, "hosts")) {
+#endif
 		char *rval = NULL;
 
 	/* DNS lookups can take time -- do them in a subprocess */
@@ -197,8 +221,12 @@ ypproc_first_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 
 	result.val.valdat_val = result.key.keydat_val = "";
 	result.val.valdat_len = result.key.keydat_len = 0;
-	
+
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return (&result);
 	}
@@ -242,7 +270,11 @@ ypproc_next_2_svc(ypreq_key *argp, struct svc_req *rqstp)
 	result.val.valdat_val = result.key.keydat_val = "";
 	result.val.valdat_len = result.key.keydat_len = 0;
 
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return (&result);
 	}
@@ -297,7 +329,7 @@ static void ypxfr_callback(rval,addr,transid,prognum,port)
 
 	if ((clnt = clntudp_create(addr,prognum,1,timeout,&sock)) == NULL) {
 		yp_error("%s: %s", inet_ntoa(addr->sin_addr),
-		    clnt_spcreateerror("failed to establish callback handle"));
+		  clnt_spcreateerror("failed to establish callback handle"));
 		return;
 	}
 
@@ -338,7 +370,12 @@ ypproc_xfr_2_svc(ypreq_xfr *argp, struct svc_req *rqstp)
 	result.transid = argp->transid;
 	rqhost = svc_getcaller(rqstp->rq_xprt);
 
+#ifdef DB_CACHE
+	if (yp_access(argp->map_parms.map,
+			argp->map_parms.domain, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(argp->map_parms.map, (struct svc_req *)rqstp)) {
+#endif
 		YPXFR_RETURN(YPXFR_REFUSED);
 	}
 
@@ -405,7 +442,11 @@ ypproc_clear_2_svc(void *argp, struct svc_req *rqstp)
 	static char * result;
 	static char rval = 0;
 
+#ifdef DB_CACHE
+	if (yp_access(NULL, NULL, (struct svc_req *)rqstp))
+#else
 	if (yp_access(NULL, (struct svc_req *)rqstp))
+#endif
 		return (NULL);
 #ifdef DB_CACHE
 	/* clear out the database cache */
@@ -476,7 +517,11 @@ ypproc_all_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 	result.ypresp_all_u.val.key.keydat_len = 0;
 	result.ypresp_all_u.val.key.keydat_val = "";
 
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.ypresp_all_u.val.stat = YP_YPERR;
 		return (&result);
 	}
@@ -530,11 +575,15 @@ ypproc_master_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 {
 	static ypresp_master  result;
 	static char ypvalbuf[YPMAXRECORD];
-	DBT key, data;
+	DBT key = { master_string, master_sz }, data;
 
 	result.peer = "";
 
-	if (yp_access(NULL, (struct svc_req *)rqstp)) {
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
+	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return(&result);
 	}
@@ -544,9 +593,6 @@ ypproc_master_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 		return (&result);
 	}
 
-	key.data = master_string;
-	key.size = strlen(master_string);
-
 	/*
 	 * Note that we copy the data retrieved from the database to
 	 * a private buffer and NUL terminate the buffer rather than
@@ -570,11 +616,15 @@ ypresp_order *
 ypproc_order_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 {
 	static ypresp_order  result;
-	DBT key,data;
+	DBT key = { order_string, order_sz }, data;
 
 	result.ordernum = 0;
 
-	if (yp_access(NULL, (struct svc_req *)rqstp)) {
+#ifdef DB_CACHE
+	if (yp_access(argp->map, argp->domain, (struct svc_req *)rqstp)) {
+#else
+	if (yp_access(argp->map, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return(&result);
 	}
@@ -591,9 +641,6 @@ ypproc_order_2_svc(ypreq_nokey *argp, struct svc_req *rqstp)
 	 * updated.
 	 */
 
-	key.data = order_string;
-	key.size = strlen(order_string);
-
 	if ((result.stat = yp_get_record(argp->domain, argp->map,
 						&key, &data, 1)) == YP_TRUE)
 		result.ordernum = atoi((char *)data.data);
@@ -672,7 +719,11 @@ ypproc_maplist_2_svc(domainname *argp, struct svc_req *rqstp)
 {
 	static ypresp_maplist  result = { 0, NULL };
 
+#ifdef DB_CACHE
+	if (yp_access(NULL, NULL, (struct svc_req *)rqstp)) {
+#else
 	if (yp_access(NULL, (struct svc_req *)rqstp)) {
+#endif
 		result.stat = YP_YPERR;
 		return(&result);
 	}