2f14780669
PR: docs/4871 Submitted by: sec@42.org
421 lines
12 KiB
Groff
421 lines
12 KiB
Groff
.\" Copyright (c) 1995
|
|
.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by Bill Paul.
|
|
.\" 4. Neither the name of the author nor the names of any co-contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id: ypserv.8,v 1.13 1997/10/29 07:25:05 charnier Exp $
|
|
.\"
|
|
.Dd February 4, 1995
|
|
.Dt YPSERV 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ypserv
|
|
.Nd NIS database server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl n
|
|
.Op Fl d
|
|
.Op Fl p Ar path
|
|
.Sh DESCRIPTION
|
|
.Tn NIS
|
|
is an RPC-based service designed to allow a number of UNIX-based
|
|
machines to share a common set of configuration files. Rather than
|
|
requiring a system administrator to update several copies of files
|
|
such as
|
|
.Pa /etc/hosts ,
|
|
.Pa /etc/passwd
|
|
and
|
|
.Pa /etc/group ,
|
|
which tend to require frequent changes in most environments,
|
|
.Tn NIS
|
|
allows groups of computers to share one set of data which can be
|
|
updated from a single location.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
program is the server that distributes
|
|
.Tn NIS
|
|
databases to client systems within an
|
|
.Tn NIS
|
|
.Em domain .
|
|
Each client in an
|
|
.Tn NIS
|
|
domain must have its domainname set to
|
|
one of the domains served by
|
|
.Nm
|
|
using the
|
|
.Xr domainname 1
|
|
command. The clients must also run
|
|
.Xr ypbind 8
|
|
in order to attach to a particular server, since it is possible to
|
|
have several servers within a single
|
|
.Tn NIS
|
|
domain.
|
|
.Pp
|
|
The databases distributed by
|
|
.Nm
|
|
are stored in
|
|
.Pa /var/yp/[domainname]
|
|
where
|
|
.Pa domainname
|
|
is the name of the domain being served. There can be several
|
|
such directories with different domainnames, and you need only one
|
|
.Nm
|
|
daemon to handle them all.
|
|
.Pp
|
|
The databases, or
|
|
.Pa maps
|
|
as they are often called,
|
|
are created by
|
|
.Pa /var/yp/Makefile
|
|
using several system files as source. The database files are in
|
|
.Xr db 3
|
|
format to help speed retrieval when there are many records involved.
|
|
In
|
|
.Bx Free ,
|
|
the maps are always readable and writable only by root for security
|
|
reasons. Technically this is only necessary for the password
|
|
maps, but since the data in the other maps can be found in
|
|
other world-readable files anyway, it doesn't hurt and it's considered
|
|
good general practice.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
program is started by
|
|
.Pa /etc/rc.network
|
|
if it has been enabled in
|
|
.Pa /etc/rc.conf .
|
|
.Sh SPECIAL FEATURES
|
|
There are some problems associated with distributing FreeBSD's password
|
|
database via
|
|
.Tn NIS Ns :
|
|
.Bx Free
|
|
normally only stores encrypted passwords
|
|
in
|
|
.Pa /etc/master.passwd ,
|
|
which is readable and writable only by root. By turning this file
|
|
into an
|
|
.Tn NIS
|
|
map, this security feature would be completely defeated.
|
|
.Pp
|
|
To make up for this, the
|
|
.Bx Free
|
|
version of
|
|
.Nm
|
|
handles the
|
|
.Pa master.passwd.byname
|
|
and
|
|
.Pa master.basswd.byuid
|
|
maps in a special way. When the server receives a request to access
|
|
either of these two maps, it will check the TCP port from which the
|
|
request originated and return an error if the port number is greater
|
|
than 1023. Since only the superuser is allowed to bind to TCP ports
|
|
with values less than 1024, the server can use this test to determine
|
|
whether or not the access request came from a privileged user.
|
|
Any requests made by non-privileged users are therefore rejected.
|
|
.Pp
|
|
Furthermore, the
|
|
.Xr getpwent 3
|
|
routines in
|
|
.Bx Free Ns 's
|
|
standard C library will only attempt to retrieve
|
|
data from the
|
|
.Pa master.passwd.byname
|
|
and
|
|
.Pa master.passwd.byuid
|
|
maps for the superuser: if a normal user calls any of these functions,
|
|
the standard
|
|
.Pa passwd.byname
|
|
and
|
|
.Pa passwd.byuid
|
|
maps will be accessed instead. The latter two maps are constructed by
|
|
.Pa /var/yp/Makefile
|
|
by parsing the
|
|
.Pa master.passwd
|
|
file and stripping out the password fields, and are therefore
|
|
safe to pass on to unprivileged users. In this way, the shadow password
|
|
aspect of the protected
|
|
.Pa master.passwd
|
|
database is maintained through
|
|
.Tn NIS .
|
|
.Pp
|
|
.Sh NOTES
|
|
.Ss Limitations
|
|
There are two problems inherent with password shadowing in
|
|
.Tn NIS
|
|
that users should
|
|
be aware of:
|
|
.Bl -enum -offset indent
|
|
.It
|
|
The
|
|
.Sq TCP port less than 1024
|
|
test is trivial to defeat for users with
|
|
unrestricted access to machines on your network (even those machines
|
|
which do not run UNIX-based operating systems).
|
|
.It
|
|
If you plan to use a
|
|
.Bx Free
|
|
system to serve
|
|
.Bx non-Free
|
|
clients that
|
|
have no support for password shadowing (which is most of them), you
|
|
will have to disable the password shadowing entirely by uncommenting the
|
|
.Em UNSECURE=True
|
|
entry in
|
|
.Pa /var/yp/Makefile .
|
|
This will cause the standard
|
|
.Pa passwd.byname
|
|
and
|
|
.Pa passwd.byuid
|
|
maps to be generated with valid encrypted password fields, which is
|
|
necessary in order for
|
|
.Bx non-Free
|
|
clients to perform user
|
|
authentication through
|
|
.Tn NIS .
|
|
.El
|
|
.Pp
|
|
.Ss Security
|
|
In general, any remote user can issue an RPC to
|
|
.Nm
|
|
and retrieve the contents of your
|
|
.Tn NIS
|
|
maps, provided the remote user
|
|
knows your domain name. To prevent such unauthorized transactions,
|
|
.Nm
|
|
supports a feature called
|
|
.Pa securenets
|
|
which can be used to restrict access to a given set of hosts.
|
|
At startup,
|
|
.Nm
|
|
will attempt to load the securenets information from a file
|
|
called
|
|
.Pa /var/yp/securenets .
|
|
(Note that this path varies depending on the path specified with
|
|
the
|
|
.Fl p
|
|
option, which is explained below.) This file contains entries
|
|
that consist of a network specification and a network mask separated
|
|
by white space.
|
|
Lines starting with
|
|
.Dq \&#
|
|
are considered to be comments. A
|
|
sample securenets file might look like this:
|
|
.Bd -unfilled -offset indent
|
|
# allow connections from local host -- mandatory
|
|
127.0.0.1 255.255.255.255
|
|
# allow connections from any host
|
|
# on the 192.168.128.0 network
|
|
192.168.128.0 255.255.255.0
|
|
# allow connections from any host
|
|
# between 10.0.0.0 to 10.0.15.255
|
|
10.0.0.0 255.255.240.0
|
|
.Ed
|
|
.Pp
|
|
If
|
|
.Nm
|
|
receives a request from an address that matches one of these rules,
|
|
it will process the request normally. If the address fails to match
|
|
a rule, the request will be ignored and a warning message will be
|
|
logged. If the
|
|
.Pa /var/yp/securenets
|
|
file does not exist,
|
|
.Nm
|
|
will allow connections from any host.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
program also has support for Wietse Venema's
|
|
.Em tcpwrapper
|
|
package, though it is not compiled in by default since
|
|
the
|
|
.Em tcpwrapper
|
|
package is not distributed with
|
|
.Bx Free .
|
|
However, if you have
|
|
.Pa libwrap.a
|
|
and
|
|
.Pa tcpd.h ,
|
|
you can easily recompile
|
|
.Nm
|
|
with them. This allows the administrator to use the tcpwrapper
|
|
configuration files (
|
|
.Pa /etc/hosts.allow
|
|
and
|
|
.Pa /etc/hosts.deny )
|
|
for access control instead of
|
|
.Pa /var/yp/securenets .
|
|
.Pp
|
|
Note: while both of these access control mechanisms provide some
|
|
security, they, like the privileged port test, are both vulnerable
|
|
to
|
|
.Dq IP spoofing
|
|
attacks.
|
|
.Pp
|
|
.Ss NIS v1 compatibility
|
|
This version of
|
|
.Nm
|
|
has some support for serving
|
|
.Tn NIS
|
|
v1 clients.
|
|
.Bx Free Ns 's
|
|
.Tn NIS
|
|
implementation only uses the
|
|
.Tn NIS
|
|
v2 protocol, however other implementations
|
|
include support for the v1 protocol for backwards compatibility
|
|
with older systems. The
|
|
.Xr ypbind 8
|
|
daemons supplied with these systems will try to establish a binding
|
|
to an
|
|
.Tn NIS
|
|
v1 server even though they may never actually need it (and they may
|
|
persist in broadcasting in search of one even after they receive a
|
|
response from a v2 server). Note that while
|
|
support for normal client calls is provided, this version of
|
|
.Nm
|
|
does not handle v1 map transfer requests; consequently, it can not
|
|
be used as a master or slave in conjunction with older
|
|
.Tn NIS
|
|
servers that
|
|
only support the v1 protocol. Fortunately, there probably aren't any
|
|
such servers still in use today.
|
|
.Ss NIS servers that are also NIS clients
|
|
Care must be taken when running
|
|
.Nm
|
|
in a multi-server domain where the server machines are also
|
|
.Tn NIS
|
|
clients. It is generally a good idea to force the servers to
|
|
bind to themselves rather than allowing them to broadcast bind
|
|
requests and possibly become bound to each other: strange failure
|
|
modes can result if one server goes down and
|
|
others are dependent upon on it. (Eventually all the clients will
|
|
time out and attempt to bind to other servers, but the delay
|
|
involved can be considerable and the failure mode is still present
|
|
since the servers might bind to each other all over again).
|
|
.Pp
|
|
Refer to the
|
|
.Xr ypbind 8
|
|
man page for details on how to force it to bind to a particular
|
|
server.
|
|
.Sh OPTIONS
|
|
The following options are supported by
|
|
.Nm Ns :
|
|
.Bl -tag -width flag
|
|
.It Fl n
|
|
This option affects the way
|
|
.Nm
|
|
handles yp_match requests for the
|
|
.Pa hosts.byname
|
|
and
|
|
.Pa hosts.byaddress
|
|
maps. By default, if
|
|
.Nm
|
|
can't find an entry for a given host in its hosts maps, it will
|
|
return an error and perform no further processing. With the
|
|
.Fl n
|
|
flag,
|
|
.Nm
|
|
will go one step further: rather than giving up immediately, it
|
|
will try to resolve the hostname or address using a DNS nameserver
|
|
query. If the query is successful,
|
|
.Nm
|
|
will construct a fake database record and return it to the client,
|
|
thereby making it seem as though the client's yp_match request
|
|
succeeded.
|
|
.Pp
|
|
This feature is provided for compatiblity with SunOS 4.1.x,
|
|
which has brain-damaged resolver functions in its standard C
|
|
library that depend on
|
|
.Tn NIS
|
|
for hostname and address resolution.
|
|
.Bx Free Ns 's
|
|
resolver can be configured to do DNS
|
|
queries directly, therefore it is not necessary to enable this
|
|
option when serving only
|
|
.Bx Free
|
|
.Tn NIS
|
|
clients.
|
|
.It Fl d
|
|
Cause the server to run in debugging mode. Normally,
|
|
.Nm
|
|
reports only unusual errors (access violations, file access failures)
|
|
using the
|
|
.Xr syslog 3
|
|
facility. In debug mode, the server does not background
|
|
itself and prints extra status messages to stderr for each
|
|
request that it receives. Also, while running in debug mode,
|
|
.Nm
|
|
will not spawn any additional subprocesses as it normally does
|
|
when handling yp_all requests or doing DNS lookups. (These actions
|
|
often take a fair amount of time to complete and are therefore handled
|
|
in subprocesses, allowing the parent server process to go on handling
|
|
other requests.) This makes it easier to trace the server with
|
|
a debugging tool.
|
|
.It Fl p Ar path
|
|
Normally,
|
|
.Nm
|
|
assumes that all
|
|
.Tn NIS
|
|
maps are stored under
|
|
.Pa /var/yp .
|
|
The
|
|
.Fl p
|
|
flag may be used to specify an alternate
|
|
.Tn NIS
|
|
root path, allowing
|
|
the system administrator to move the map files to a different place
|
|
within the filesystem.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width Pa -compact
|
|
.It Pa /var/yp/[domainname]/[maps]
|
|
the
|
|
.Tn NIS
|
|
maps
|
|
.It Pa /etc/host.conf
|
|
resolver configuration file
|
|
.It Pa /var/yp/securenets
|
|
host access control file
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ypcat 1 ,
|
|
.Xr db 3 ,
|
|
.Xr yp 4 ,
|
|
.Xr ypbind 8 ,
|
|
.Xr yppasswdd 8 ,
|
|
.Xr yppush 8 ,
|
|
.Xr ypxfr 8
|
|
.Sh AUTHOR
|
|
.An Bill Paul Aq wpaul@ctr.columbia.edu
|
|
.Sh HISTORY
|
|
This version of
|
|
.Nm
|
|
first appeared in
|
|
.Fx 2.2 .
|