chpass(1) are on the way too.) This version supports all the features
of the old one and adds several new ones:
- Supports real multi-domain operation (optional, can be turned
on with a command-line flag). This means you can actually have
several different domains all served from one NIS server and
allow users in any of the supported domains to change their passwords.
The old yppasswdd only allowed changing passwords in the domain
that was set as the system default domain name on the NIS master
server. The new one can change passwords in any domain by trying
to match the user information passed to it against all the passwd
maps it can find. This is something of a hack, but the yppasswd.x
protocol definiton does not allow for a domain to be passwd as an
argument to rpc.yppasswdd, so the server has no choice but to
grope around for a likely match. Since this method can fail if
the same user exists in two domains, this feature is off by default.
If the feature is turned on and the server becomes confused by
duplicate entries, it will abort the update.
- Does not require NIS client services to be available. NIS servers do
_NOT_ necessarily have to be configured as NIS clients in order to
function: the ypserv, ypxfr and yppush programs I've written recently
will operate fine even if the system domain name isn't set, ypbind isn't
running and there are no magic '+' entries in any of the /etc files.
Now rpc.yppasswdd is the same way. The old yppasswdd would not work
like this because it depended on getpwent(3) and friends to look up
users: this will obviously only work if the system where yppasswdd is
running is configured as an NIS client. The new rpc.yppasswdd doesn't
use getpwent(3) at all: instead it searches through the master.passwd
map databases directly. This also makes it easier for it to handle
multiple domains.
- Allows the superuser on the NIS master server to change any user's
password without requiring password authentication. rpc.yppasswdd
creates a UNIX domain socket (/var/run/ypsock) which it monitors
using the same svc_run() loop used to handle incoming RPC requests.
It also clears all the permission bits for /var/run/ypsock; since
this socket is owned by root, this prevents anyone except root from
successfully connect()ing to it. (Using a UNIX domain socket also
prevents IP spoofing attacks.) By building code into passwd(1) and
chpass(1) to take advantage of this 'trusted' channel, the superuser
can use them to send private requests to rpc.yppasswdd.
- Allows the superuser on the NIS master to use chpass(1) to update _all_
of a user's master.passwd information. The UNIX domain access point
accepts a full master.passwd style structure (along with a domain
name and other information), which allows the superuser to update all
of a user's master.passwd information in the NIS master.passwd maps.
Normal users on NIS clients are still only allowed to change their full
name and shell information with chpass.
- Allows the superuser on the NIS master to _add_ records to the NIS
master.passwd maps using chpass(1). This feature is also switchable
with a command-line flag and is off by default.
This program does what the old one did, PLUS:
- Supports parallel jobs (like the SunOS yppush)
- Does everything in one proces instead of fork()ing off
children processes as callback listeners (this is done
using async socket I/O).
- Can be used to transmit maps to user-specified hosts.
- Has a much more verbose verbose option.
- Reuses existing code from ypserv and ypxfr.
- Uses some rpcgen-erated code as well.
- Isn't fattening. :)
Note that this is going in /usr/sbin rather than /usr/bin like
the old one. yppush is an administrative command it it's anything.
to the old one, except that it supports an additional option (-p path)
that lets you specify the top level path wiere your NIS maps live.
(ypserv allows you to specify a path like this, so it makes sense that
ypxfr should too. ypserv will automagically pass the -p flag to ypxfr
if you use a path other than /var/yp when you start it.)
This program uses client stub code generated by rpcgen as well as
the yp_dblookup.c module from ypserv.
equivalent to the old ypserv, except that it doesn't support the
-p [port] option to force the server to use a particular port.
The server stubs and yp.h header file are auto-generated from the yp.x
protocol definition file. The auto-generated XDR routines in libc/yp
are also used. The database access code has been broken out into a
seperate module so that other NIS utilities (ypxfr in particular)
can use it.
Note that the old mknetid script is being temporarily moved here; it
will be replaced by an mknetid program which will eventually have
a home under /usr/src/libexec. (The existing script is actually
somewhat broken -- it doesn't handle hosts -- but this isn't a big
deal at this point since the netid.byname map is really only useful
fopr Secure RPC, which we don't have yet.)
program parses the /etc/netgroup file into netgroup.byuser and netgroup.byhost
format for NIS.
I used hash tables to store the initial netgroup data in memory and to
construct the 'reverse' netgroup output. It seems just as fast as the
SunOS revnetgroup, which is surprising considering this is my first
attempt at using hash tables in a real application. :)
Note that I canibalized a large chunk of getnetgrent.c to save myself
from having to write my own netgroup parsing functions.
