summaryrefslogtreecommitdiffstats
path: root/usr.sbin/ypserv/ypserv.8
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/ypserv/ypserv.8')
-rw-r--r--usr.sbin/ypserv/ypserv.8465
1 files changed, 0 insertions, 465 deletions
diff --git a/usr.sbin/ypserv/ypserv.8 b/usr.sbin/ypserv/ypserv.8
deleted file mode 100644
index 9d88731..0000000
--- a/usr.sbin/ypserv/ypserv.8
+++ /dev/null
@@ -1,465 +0,0 @@
-.\" Copyright (c) 1995
-.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\" must display the following acknowledgement:
-.\" This product includes software developed by Bill Paul.
-.\" 4. Neither the name of the author nor the names of any co-contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd December 13, 2009
-.Dt YPSERV 8
-.Os
-.Sh NAME
-.Nm ypserv
-.Nd NIS database server
-.Sh SYNOPSIS
-.Nm
-.Op Fl n
-.Op Fl d
-.Op Fl P Ar port
-.Op Fl p Ar path
-.Sh DESCRIPTION
-.Tn NIS
-is an RPC-based service designed to allow a number of UNIX-based
-machines to share a common set of configuration files.
-Rather than
-requiring a system administrator to update several copies of files
-such as
-.Pa /etc/hosts ,
-.Pa /etc/passwd
-and
-.Pa /etc/group ,
-which tend to require frequent changes in most environments,
-.Tn NIS
-allows groups of computers to share one set of data which can be
-updated from a single location.
-.Pp
-The
-.Nm
-utility is the server that distributes
-.Tn NIS
-databases to client systems within an
-.Tn NIS
-.Em domain .
-Each client in an
-.Tn NIS
-domain must have its domainname set to
-one of the domains served by
-.Nm
-using the
-.Xr domainname 1
-command.
-The clients must also run
-.Xr ypbind 8
-in order to attach to a particular server, since it is possible to
-have several servers within a single
-.Tn NIS
-domain.
-.Pp
-The databases distributed by
-.Nm
-are stored in
-.Pa /var/yp/[domainname]
-where
-.Pa domainname
-is the name of the domain being served.
-There can be several
-such directories with different domainnames, and you need only one
-.Nm
-daemon to handle them all.
-.Pp
-The databases, or
-.Pa maps
-as they are often called,
-are created by
-.Pa /var/yp/Makefile
-using several system files as source.
-The database files are in
-.Xr db 3
-format to help speed retrieval when there are many records involved.
-In
-.Fx ,
-the maps are always readable and writable only by root for security
-reasons.
-Technically this is only necessary for the password
-maps, but since the data in the other maps can be found in
-other world-readable files anyway, it does not hurt and it is considered
-good general practice.
-.Pp
-The
-.Nm
-utility is started by
-.Pa /etc/rc.d/ypserv
-if it has been enabled in
-.Pa /etc/rc.conf .
-.Sh SPECIAL FEATURES
-There are some problems associated with distributing a
-.Fx
-password
-database via
-.Tn NIS :
-.Fx
-normally only stores encrypted passwords
-in
-.Pa /etc/master.passwd ,
-which is readable and writable only by root.
-By turning this file
-into an
-.Tn NIS
-map, this security feature would be completely defeated.
-.Pp
-To make up for this, the
-.Fx
-version of
-.Nm
-handles the
-.Pa master.passwd.byname
-and
-.Pa master.passwd.byuid
-maps in a special way.
-When the server receives a request to access
-either of these two maps (or in fact either of the
-.Pa shadow.byname
-or
-.Pa shadow.byuid
-maps), it will check the TCP port from which the
-request originated and return an error if the port number is greater
-than 1023.
-Since only the superuser is allowed to bind to TCP ports
-with values less than 1024, the server can use this test to determine
-whether or not the access request came from a privileged user.
-Any requests made by non-privileged users are therefore rejected.
-.Pp
-Furthermore, the
-.Xr getpwent 3
-routines in the
-.Fx
-standard C library will only attempt to retrieve
-data from the
-.Pa master.passwd.byname
-and
-.Pa master.passwd.byuid
-maps for the superuser: if a normal user calls any of these functions,
-the standard
-.Pa passwd.byname
-and
-.Pa passwd.byuid
-maps will be accessed instead.
-The latter two maps are constructed by
-.Pa /var/yp/Makefile
-by parsing the
-.Pa master.passwd
-file and stripping out the password fields, and are therefore
-safe to pass on to unprivileged users.
-In this way, the shadow password
-aspect of the protected
-.Pa master.passwd
-database is maintained through
-.Tn NIS .
-.Sh NOTES
-.Ss Setting Up Master and Slave Servers
-.Xr ypinit 8
-is a convenient script that will help setup master and slave
-.Tn NIS
-servers.
-.Ss Limitations
-There are two problems inherent with password shadowing in
-.Tn NIS
-that users should
-be aware of:
-.Bl -enum -offset indent
-.It
-The
-.Sq TCP port less than 1024
-test is trivial to defeat for users with
-unrestricted access to machines on your network (even those machines
-which do not run UNIX-based operating systems).
-.It
-If you plan to use a
-.Fx
-system to serve
-.No non- Ns Fx
-clients that
-have no support for password shadowing (which is most of them), you
-will have to disable the password shadowing entirely by uncommenting the
-.Em UNSECURE=True
-entry in
-.Pa /var/yp/Makefile .
-This will cause the standard
-.Pa passwd.byname
-and
-.Pa passwd.byuid
-maps to be generated with valid encrypted password fields, which is
-necessary in order for
-.No non- Ns Fx
-clients to perform user
-authentication through
-.Tn NIS .
-.El
-.Pp
-.Ss Security
-In general, any remote user can issue an RPC to
-.Nm
-and retrieve the contents of your
-.Tn NIS
-maps, provided the remote user
-knows your domain name.
-To prevent such unauthorized transactions,
-.Nm
-supports a feature called
-.Pa securenets
-which can be used to restrict access to a given set of hosts.
-At startup,
-.Nm
-will attempt to load the securenets information from a file
-called
-.Pa /var/yp/securenets .
-(Note that this path varies depending on the path specified with
-the
-.Fl p
-option, which is explained below.)
-This file contains entries
-that consist of a network specification and a network mask separated
-by white space.
-Lines starting with
-.Dq \&#
-are considered to be comments.
-A
-sample securenets file might look like this:
-.Bd -unfilled -offset indent
-# allow connections from local host -- mandatory
-127.0.0.1 255.255.255.255
-# allow connections from any host
-# on the 192.168.128.0 network
-192.168.128.0 255.255.255.0
-# allow connections from any host
-# between 10.0.0.0 to 10.0.15.255
-10.0.0.0 255.255.240.0
-.Ed
-.Pp
-If
-.Nm
-receives a request from an address that matches one of these rules,
-it will process the request normally.
-If the address fails to match
-a rule, the request will be ignored and a warning message will be
-logged.
-If the
-.Pa /var/yp/securenets
-file does not exist,
-.Nm
-will allow connections from any host.
-.Pp
-The
-.Nm
-utility also has support for Wietse Venema's
-.Em tcpwrapper
-package.
-This allows the administrator to use the tcpwrapper
-configuration files
-.Pa ( /etc/hosts.allow
-and
-.Pa /etc/hosts.deny )
-for access control instead of
-.Pa /var/yp/securenets .
-.Pp
-Note: while both of these access control mechanisms provide some
-security, they, like the privileged port test, are both vulnerable
-to
-.Dq IP spoofing
-attacks.
-.Pp
-.Ss NIS v1 compatibility
-This version of
-.Nm
-has some support for serving
-.Tn NIS
-v1 clients.
-The
-.Fx
-.Tn NIS
-implementation only uses the
-.Tn NIS
-v2 protocol, however other implementations
-include support for the v1 protocol for backwards compatibility
-with older systems.
-The
-.Xr ypbind 8
-daemons supplied with these systems will try to establish a binding
-to an
-.Tn NIS
-v1 server even though they may never actually need it (and they may
-persist in broadcasting in search of one even after they receive a
-response from a v2 server).
-Note that while
-support for normal client calls is provided, this version of
-.Nm
-does not handle v1 map transfer requests; consequently, it cannot
-be used as a master or slave in conjunction with older
-.Tn NIS
-servers that
-only support the v1 protocol.
-Fortunately, there probably are not any
-such servers still in use today.
-.Ss NIS servers that are also NIS clients
-Care must be taken when running
-.Nm
-in a multi-server domain where the server machines are also
-.Tn NIS
-clients.
-It is generally a good idea to force the servers to
-bind to themselves rather than allowing them to broadcast bind
-requests and possibly become bound to each other: strange failure
-modes can result if one server goes down and
-others are dependent upon on it.
-(Eventually all the clients will
-time out and attempt to bind to other servers, but the delay
-involved can be considerable and the failure mode is still present
-since the servers might bind to each other all over again).
-.Pp
-Refer to the
-.Xr ypbind 8
-man page for details on how to force it to bind to a particular
-server.
-.Sh OPTIONS
-The following options are supported by
-.Nm :
-.Bl -tag -width flag
-.It Fl n
-This option affects the way
-.Nm
-handles yp_match requests for the
-.Pa hosts.byname
-and
-.Pa hosts.byaddress
-maps.
-By default, if
-.Nm
-cannot find an entry for a given host in its hosts maps, it will
-return an error and perform no further processing.
-With the
-.Fl n
-flag,
-.Nm
-will go one step further: rather than giving up immediately, it
-will try to resolve the hostname or address using a DNS nameserver
-query.
-If the query is successful,
-.Nm
-will construct a fake database record and return it to the client,
-thereby making it seem as though the client's yp_match request
-succeeded.
-.Pp
-This feature is provided for compatibility with SunOS 4.1.x,
-which has brain-damaged resolver functions in its standard C
-library that depend on
-.Tn NIS
-for hostname and address resolution.
-The
-.Fx
-resolver can be configured to do DNS
-queries directly, therefore it is not necessary to enable this
-option when serving only
-.Fx
-.Tn NIS
-clients.
-.It Fl d
-Cause the server to run in debugging mode.
-Normally,
-.Nm
-reports only unusual errors (access violations, file access failures)
-using the
-.Xr syslog 3
-facility.
-In debug mode, the server does not background
-itself and prints extra status messages to stderr for each
-request that it receives.
-Also, while running in debug mode,
-.Nm
-will not spawn any additional subprocesses as it normally does
-when handling yp_all requests or doing DNS lookups.
-(These actions
-often take a fair amount of time to complete and are therefore handled
-in subprocesses, allowing the parent server process to go on handling
-other requests.)
-This makes it easier to trace the server with
-a debugging tool.
-.It Fl h Ar addr
-Specify a specific address to bind to for requests. This option may be
-specified multiple times. If no
-.Fl h
-option is specified,
-.Nm
-will bind to default passive address
-.Pq e.g. INADDR_ANY for IPv4
-for each transport.
-.It Fl P Ar port
-Force ypserv to bind to a specific TCP/UDP port, rather than selecting
-its own.
-.It Fl p Ar path
-Normally,
-.Nm
-assumes that all
-.Tn NIS
-maps are stored under
-.Pa /var/yp .
-The
-.Fl p
-flag may be used to specify an alternate
-.Tn NIS
-root path, allowing
-the system administrator to move the map files to a different place
-within the file system.
-.El
-.Sh FILES
-.Bl -tag -width Pa -compact
-.It Pa /var/yp/[domainname]/[maps]
-the
-.Tn NIS
-maps
-.It Pa /etc/nsswitch.conf
-name switch configuration file
-.It Pa /var/yp/securenets
-host access control file
-.El
-.Sh SEE ALSO
-.Xr ypcat 1 ,
-.Xr db 3 ,
-.Xr hosts_access 5 ,
-.Xr rpc.yppasswdd 8 ,
-.Xr yp 8 ,
-.Xr ypbind 8 ,
-.Xr ypinit 8 ,
-.Xr yppush 8 ,
-.Xr ypxfr 8
-.Sh HISTORY
-This version of
-.Nm
-first appeared in
-.Fx 2.2 .
-.Sh AUTHORS
-.An Bill Paul Aq wpaul@ctr.columbia.edu
OpenPOWER on IntegriCloud