1.\" Copyright (c) 1995 2.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
31.\" $Id: ypserv.8,v 1.12 1997/04/15 07:41:10 jmg Exp $ |
32.\" 33.Dd February 4, 1995 34.Dt YPSERV 8 35.Os 36.Sh NAME 37.Nm ypserv 38.Nd NIS database server 39.Sh SYNOPSIS --- 6 unchanged lines hidden (view full) --- 46is an RPC-based service designed to allow a number of UNIX-based 47machines to share a common set of configuration files. Rather than 48requiring a system administrator to update several copies of files 49such as 50.Pa /etc/hosts , 51.Pa /etc/passwd 52and 53.Pa /etc/group , |
54which tend to require frequent changes in most environments, 55.Tn NIS |
56allows groups of computers to share one set of data which can be 57updated from a single location. 58.Pp 59The 60.Nm |
61program is the server that distributes 62.Tn NIS 63databases to client systems within an 64.Tn NIS |
65.Em domain . |
66Each client in an 67.Tn NIS 68domain must have its domainname set to |
69one of the domains served by 70.Nm 71using the 72.Xr domainname 1 73command. The clients must also run 74.Xr ypbind 8 75in order to attach to a particular server, since it is possible to |
76have several servers within a single 77.Tn NIS 78domain. |
79.Pp 80The databases distributed by 81.Nm 82are stored in 83.Pa /var/yp/[domainname] 84where 85.Pa domainname 86is the name of the domain being served. There can be several --- 4 unchanged lines hidden (view full) --- 91The databases, or 92.Pa maps 93as they are often called, 94are created by 95.Pa /var/yp/Makefile 96using several system files as source. The database files are in 97.Xr db 3 98format to help speed retrieval when there are many records involved. |
99In 100.Bx Free , 101the maps are always readable and writable only by root for security |
102reasons. Technically this is only necessary for the password 103maps, but since the data in the other maps can be found in 104other world-readable files anyway, it doesn't hurt and it's considered 105good general practice. 106.Pp 107The 108.Nm 109program is started by |
110.Pa /etc/rc.network |
111if it has been enabled in |
112.Pa /etc/rc.conf . |
113.Sh SPECIAL FEATURES 114There are some problems associated with distributing FreeBSD's password |
115database via 116.Tn NIS Ns : 117.Bx Free 118normally only stores encrypted passwords |
119in 120.Pa /etc/master.passwd , 121which is readable and writable only by root. By turning this file |
122into an 123.Tn NIS 124map, this security feature would be completely defeated. |
125.Pp |
126To make up for this, the 127.Bx Free 128version of |
129.Nm 130handles the 131.Pa master.passwd.byname 132and 133.Pa master.basswd.byuid 134maps in a special way. When the server receives a request to access 135either of these two maps, it will check the TCP port from which the 136request originated and return an error if the port number is greater 137than 1023. Since only the superuser is allowed to bind to TCP ports 138with values less than 1024, the server can use this test to determine 139whether or not the access request came from a privileged user. 140Any requests made by non-privileged users are therefore rejected. 141.Pp 142Furthermore, the 143.Xr getpwent 3 |
144routines in 145.Bx Free Ns 's 146standard C library will only attempt to retrieve |
147data from the 148.Pa master.passwd.byname 149and 150.Pa master.passwd.byuid 151maps for the superuser: if a normal user calls any of these functions, 152the standard 153.Pa passwd.byname 154and 155.Pa passwd.byuid 156maps will be accessed instead. The latter two maps are constructed by 157.Pa /var/yp/Makefile 158by parsing the 159.Pa master.passwd 160file and stripping out the password fields, and are therefore 161safe to pass on to unprivileged users. In this way, the shadow password 162aspect of the protected 163.Pa master.passwd |
164database is maintained through 165.Tn NIS . |
166.Pp 167.Sh NOTES 168.Ss Limitations |
169There are two problems inherent with password shadowing in 170.Tn NIS |
171that users should 172be aware of: 173.Bl -enum -offset indent 174.It 175The 176.Sq TCP port less than 1024 177test is trivial to defeat for users with 178unrestricted access to machines on your network (even those machines 179which do not run UNIX-based operating systems). 180.It |
181If you plan to use a 182.Bx Free 183system to serve 184.Bx non-Free 185clients that |
186have no support for password shadowing (which is most of them), you 187will have to disable the password shadowing entirely by uncommenting the 188.Em UNSECURE=True 189entry in 190.Pa /var/yp/Makefile . 191This will cause the standard 192.Pa passwd.byname 193and 194.Pa passwd.byuid 195maps to be generated with valid encrypted password fields, which is |
196necessary in order for 197.Bx non-Free 198clients to perform user 199authentication through 200.Tn NIS . |
201.El 202.Pp 203.Ss Security 204In general, any remote user can issue an RPC to 205.Nm |
206and retrieve the contents of your 207.Tn NIS 208maps, provided the remote user |
209knows your domain name. To prevent such unauthorized transactions, 210.Nm 211supports a feature called 212.Pa securenets 213which can be used to restrict access to a given set of hosts. 214At startup, 215.Nm 216will attempt to load the securenets information from a file --- 33 unchanged lines hidden (view full) --- 250.Pp 251The 252.Nm 253program also has support for Wietse Venema's 254.Em tcpwrapper 255package, though it is not compiled in by default since 256the 257.Em tcpwrapper |
258package is not distributed with 259.Bx Free . 260However, if you have |
261.Pa libwrap.a 262and 263.Pa tcpd.h , 264you can easily recompile 265.Nm 266with them. This allows the administrator to use the tcpwrapper 267configuration files ( 268.Pa /etc/hosts.allow --- 6 unchanged lines hidden (view full) --- 275security, they, like the privileged port test, are both vulnerable 276to 277.Dq IP spoofing 278attacks. 279.Pp 280.Ss NIS v1 compatibility 281This version of 282.Nm |
283has some support for serving 284.Tn NIS 285v1 clients. 286.Bx Free Ns 's 287.Tn NIS 288implementation only uses the 289.Tn NIS 290v2 protocol, however other implementations |
291include support for the v1 protocol for backwards compatibility 292with older systems. The 293.Xr ypbind 8 294daemons supplied with these systems will try to establish a binding |
295to an 296.Tn NIS 297v1 server even though they may never actually need it (and they may |
298persist in broadcasting in search of one even after they receive a 299response from a v2 server). Note that while 300support for normal client calls is provided, this version of 301.Nm 302does not handle v1 map transfer requests; consequently, it can not |
303be used as a master or slave in conjunction with older 304.Tn NIS 305servers that |
306only support the v1 protocol. Fortunately, there probably aren't any 307such servers still in use today. 308.Ss NIS servers that are also NIS clients 309Care must be taken when running 310.Nm 311in a multi-server domain where the server machines are also |
312.Tn NIS 313clients. It is generally a good idea to force the servers to |
314bind to themselves rather than allowing them to broadcast bind 315requests and possibly become bound to each other: strange failure 316modes can result if one server goes down and 317others are dependent upon on it. (Eventually all the clients will 318time out and attempt to bind to other servers, but the delay 319involved can be considerable and the failure mode is still present 320since the servers might bind to each other all over again). 321.Pp --- 24 unchanged lines hidden (view full) --- 346query. If the query is successful, 347.Nm 348will construct a fake database record and return it to the client, 349thereby making it seem as though the client's yp_match request 350succeeded. 351.Pp 352This feature is provided for compatiblity with SunOS 4.1.x, 353which has brain-damaged resolver functions in its standard C |
354library that depend on 355.Tn NIS 356for hostname and address resolution. 357.Bx Free Ns 's 358resolver can be configured to do DNS |
359queries directly, therefore it is not necessary to enable this |
360option when serving only 361.Bx Free 362.Tn NIS 363clients. |
364.It Fl d |
365Cause the server to run in debugging mode. Normally, |
366.Nm 367reports only unusual errors (access violations, file access failures) 368using the 369.Xr syslog 3 370facility. In debug mode, the server does not background 371itself and prints extra status messages to stderr for each 372request that it receives. Also, while running in debug mode, 373.Nm 374will not spawn any additional subprocesses as it normally does 375when handling yp_all requests or doing DNS lookups. (These actions 376often take a fair amount of time to complete and are therefore handled 377in subprocesses, allowing the parent server process to go on handling 378other requests.) This makes it easier to trace the server with 379a debugging tool. 380.It Fl p Ar path 381Normally, 382.Nm |
383assumes that all 384.Tn NIS 385maps are stored under |
386.Pa /var/yp . 387The 388.Fl p |
389flag may be used to specify an alternate 390.Tn NIS 391root path, allowing |
392the system administrator to move the map files to a different place 393within the filesystem. 394.El 395.Sh FILES 396.Bl -tag -width Pa -compact 397.It Pa /var/yp/[domainname]/[maps] |
398the 399.Tn NIS 400maps |
401.It Pa /etc/host.conf |
402resolver configuration file |
403.It Pa /var/yp/securenets |
404host access control file |
405.El 406.Sh SEE ALSO 407.Xr ypcat 1 , 408.Xr db 3 , 409.Xr yp 4 , 410.Xr ypbind 8 , 411.Xr yppasswdd 8 , 412.Xr yppush 8 , 413.Xr ypxfr 8 414.Sh AUTHOR |
415.An Bill Paul Aq wpaul@ctr.columbia.edu |
416.Sh HISTORY 417This version of 418.Nm 419first appeared in 420.Fx 2.2 . |