ypserv.8 (24946) | ypserv.8 (30827) |
---|---|
1.\" Copyright (c) 1995 2.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 1995 2.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
31.\" $Id: ypserv.8,v 1.11 1997/02/22 16:15:14 peter Exp $ | 31.\" $Id: ypserv.8,v 1.12 1997/04/15 07:41:10 jmg Exp $ |
32.\" 33.Dd February 4, 1995 34.Dt YPSERV 8 35.Os 36.Sh NAME 37.Nm ypserv 38.Nd NIS database server 39.Sh SYNOPSIS --- 6 unchanged lines hidden (view full) --- 46is an RPC-based service designed to allow a number of UNIX-based 47machines to share a common set of configuration files. Rather than 48requiring a system administrator to update several copies of files 49such as 50.Pa /etc/hosts , 51.Pa /etc/passwd 52and 53.Pa /etc/group , | 32.\" 33.Dd February 4, 1995 34.Dt YPSERV 8 35.Os 36.Sh NAME 37.Nm ypserv 38.Nd NIS database server 39.Sh SYNOPSIS --- 6 unchanged lines hidden (view full) --- 46is an RPC-based service designed to allow a number of UNIX-based 47machines to share a common set of configuration files. Rather than 48requiring a system administrator to update several copies of files 49such as 50.Pa /etc/hosts , 51.Pa /etc/passwd 52and 53.Pa /etc/group , |
54which tend to require frequent changes in most environments, NIS | 54which tend to require frequent changes in most environments, 55.Tn NIS |
55allows groups of computers to share one set of data which can be 56updated from a single location. 57.Pp 58The 59.Nm | 56allows groups of computers to share one set of data which can be 57updated from a single location. 58.Pp 59The 60.Nm |
60program is the server that distributes NIS databases 61to client systems within an NIS | 61program is the server that distributes 62.Tn NIS 63databases to client systems within an 64.Tn NIS |
62.Em domain . | 65.Em domain . |
63Each client in an NIS domain must have its domainname set to | 66Each client in an 67.Tn NIS 68domain must have its domainname set to |
64one of the domains served by 65.Nm 66using the 67.Xr domainname 1 68command. The clients must also run 69.Xr ypbind 8 70in order to attach to a particular server, since it is possible to | 69one of the domains served by 70.Nm 71using the 72.Xr domainname 1 73command. The clients must also run 74.Xr ypbind 8 75in order to attach to a particular server, since it is possible to |
71have several servers within a single NIS domain. | 76have several servers within a single 77.Tn NIS 78domain. |
72.Pp 73The databases distributed by 74.Nm 75are stored in 76.Pa /var/yp/[domainname] 77where 78.Pa domainname 79is the name of the domain being served. There can be several --- 4 unchanged lines hidden (view full) --- 84The databases, or 85.Pa maps 86as they are often called, 87are created by 88.Pa /var/yp/Makefile 89using several system files as source. The database files are in 90.Xr db 3 91format to help speed retrieval when there are many records involved. | 79.Pp 80The databases distributed by 81.Nm 82are stored in 83.Pa /var/yp/[domainname] 84where 85.Pa domainname 86is the name of the domain being served. There can be several --- 4 unchanged lines hidden (view full) --- 91The databases, or 92.Pa maps 93as they are often called, 94are created by 95.Pa /var/yp/Makefile 96using several system files as source. The database files are in 97.Xr db 3 98format to help speed retrieval when there are many records involved. |
92In FreeBSD, the 93maps are always readable and writable only by root for security | 99In 100.Bx Free , 101the maps are always readable and writable only by root for security |
94reasons. Technically this is only necessary for the password 95maps, but since the data in the other maps can be found in 96other world-readable files anyway, it doesn't hurt and it's considered 97good general practice. 98.Pp 99The 100.Nm 101program is started by | 102reasons. Technically this is only necessary for the password 103maps, but since the data in the other maps can be found in 104other world-readable files anyway, it doesn't hurt and it's considered 105good general practice. 106.Pp 107The 108.Nm 109program is started by |
102.Pa /etc/rc | 110.Pa /etc/rc.network |
103if it has been enabled in | 111if it has been enabled in |
104.Pa /etc/sysconfig . | 112.Pa /etc/rc.conf . |
105.Sh SPECIAL FEATURES 106There are some problems associated with distributing FreeBSD's password | 113.Sh SPECIAL FEATURES 114There are some problems associated with distributing FreeBSD's password |
107database via NIS: FreeBSD normally only stores encrypted passwords | 115database via 116.Tn NIS Ns : 117.Bx Free 118normally only stores encrypted passwords |
108in 109.Pa /etc/master.passwd , 110which is readable and writable only by root. By turning this file | 119in 120.Pa /etc/master.passwd , 121which is readable and writable only by root. By turning this file |
111into an NIS map, this security feature would be completely defeated. | 122into an 123.Tn NIS 124map, this security feature would be completely defeated. |
112.Pp | 125.Pp |
113To make up for this, the FreeBSD version of | 126To make up for this, the 127.Bx Free 128version of |
114.Nm 115handles the 116.Pa master.passwd.byname 117and 118.Pa master.basswd.byuid 119maps in a special way. When the server receives a request to access 120either of these two maps, it will check the TCP port from which the 121request originated and return an error if the port number is greater 122than 1023. Since only the superuser is allowed to bind to TCP ports 123with values less than 1024, the server can use this test to determine 124whether or not the access request came from a privileged user. 125Any requests made by non-privileged users are therefore rejected. 126.Pp 127Furthermore, the 128.Xr getpwent 3 | 129.Nm 130handles the 131.Pa master.passwd.byname 132and 133.Pa master.basswd.byuid 134maps in a special way. When the server receives a request to access 135either of these two maps, it will check the TCP port from which the 136request originated and return an error if the port number is greater 137than 1023. Since only the superuser is allowed to bind to TCP ports 138with values less than 1024, the server can use this test to determine 139whether or not the access request came from a privileged user. 140Any requests made by non-privileged users are therefore rejected. 141.Pp 142Furthermore, the 143.Xr getpwent 3 |
129routines in FreeBSD's standard C libarary will only attempt to retrieve | 144routines in 145.Bx Free Ns 's 146standard C library will only attempt to retrieve |
130data from the 131.Pa master.passwd.byname 132and 133.Pa master.passwd.byuid 134maps for the superuser: if a normal user calls any of these functions, 135the standard 136.Pa passwd.byname 137and 138.Pa passwd.byuid 139maps will be accessed instead. The latter two maps are constructed by 140.Pa /var/yp/Makefile 141by parsing the 142.Pa master.passwd 143file and stripping out the password fields, and are therefore 144safe to pass on to unprivileged users. In this way, the shadow password 145aspect of the protected 146.Pa master.passwd | 147data from the 148.Pa master.passwd.byname 149and 150.Pa master.passwd.byuid 151maps for the superuser: if a normal user calls any of these functions, 152the standard 153.Pa passwd.byname 154and 155.Pa passwd.byuid 156maps will be accessed instead. The latter two maps are constructed by 157.Pa /var/yp/Makefile 158by parsing the 159.Pa master.passwd 160file and stripping out the password fields, and are therefore 161safe to pass on to unprivileged users. In this way, the shadow password 162aspect of the protected 163.Pa master.passwd |
147database is maintained through NIS. | 164database is maintained through 165.Tn NIS . |
148.Pp 149.Sh NOTES 150.Ss Limitations | 166.Pp 167.Sh NOTES 168.Ss Limitations |
151There are two problems inherent with password shadowing in NIS | 169There are two problems inherent with password shadowing in 170.Tn NIS |
152that users should 153be aware of: 154.Bl -enum -offset indent 155.It 156The 157.Sq TCP port less than 1024 158test is trivial to defeat for users with 159unrestricted access to machines on your network (even those machines 160which do not run UNIX-based operating systems). 161.It | 171that users should 172be aware of: 173.Bl -enum -offset indent 174.It 175The 176.Sq TCP port less than 1024 177test is trivial to defeat for users with 178unrestricted access to machines on your network (even those machines 179which do not run UNIX-based operating systems). 180.It |
162If you plan to use a FreeBSD system to serve non-FreeBSD clients that | 181If you plan to use a 182.Bx Free 183system to serve 184.Bx non-Free 185clients that |
163have no support for password shadowing (which is most of them), you 164will have to disable the password shadowing entirely by uncommenting the 165.Em UNSECURE=True 166entry in 167.Pa /var/yp/Makefile . 168This will cause the standard 169.Pa passwd.byname 170and 171.Pa passwd.byuid 172maps to be generated with valid encrypted password fields, which is | 186have no support for password shadowing (which is most of them), you 187will have to disable the password shadowing entirely by uncommenting the 188.Em UNSECURE=True 189entry in 190.Pa /var/yp/Makefile . 191This will cause the standard 192.Pa passwd.byname 193and 194.Pa passwd.byuid 195maps to be generated with valid encrypted password fields, which is |
173neccesary in order for non-FreeBSD clients to perform user 174authentication through NIS. | 196necessary in order for 197.Bx non-Free 198clients to perform user 199authentication through 200.Tn NIS . |
175.El 176.Pp 177.Ss Security 178In general, any remote user can issue an RPC to 179.Nm | 201.El 202.Pp 203.Ss Security 204In general, any remote user can issue an RPC to 205.Nm |
180and retrieve the contents of your NIS maps, provided the remote user | 206and retrieve the contents of your 207.Tn NIS 208maps, provided the remote user |
181knows your domain name. To prevent such unauthorized transactions, 182.Nm 183supports a feature called 184.Pa securenets 185which can be used to restrict access to a given set of hosts. 186At startup, 187.Nm 188will attempt to load the securenets information from a file --- 33 unchanged lines hidden (view full) --- 222.Pp 223The 224.Nm 225program also has support for Wietse Venema's 226.Em tcpwrapper 227package, though it is not compiled in by default since 228the 229.Em tcpwrapper | 209knows your domain name. To prevent such unauthorized transactions, 210.Nm 211supports a feature called 212.Pa securenets 213which can be used to restrict access to a given set of hosts. 214At startup, 215.Nm 216will attempt to load the securenets information from a file --- 33 unchanged lines hidden (view full) --- 250.Pp 251The 252.Nm 253program also has support for Wietse Venema's 254.Em tcpwrapper 255package, though it is not compiled in by default since 256the 257.Em tcpwrapper |
230package is not distributed with FreeBSD. However, if you have | 258package is not distributed with 259.Bx Free . 260However, if you have |
231.Pa libwrap.a 232and 233.Pa tcpd.h , 234you can easily recompile 235.Nm 236with them. This allows the administrator to use the tcpwrapper 237configuration files ( 238.Pa /etc/hosts.allow --- 6 unchanged lines hidden (view full) --- 245security, they, like the privileged port test, are both vulnerable 246to 247.Dq IP spoofing 248attacks. 249.Pp 250.Ss NIS v1 compatibility 251This version of 252.Nm | 261.Pa libwrap.a 262and 263.Pa tcpd.h , 264you can easily recompile 265.Nm 266with them. This allows the administrator to use the tcpwrapper 267configuration files ( 268.Pa /etc/hosts.allow --- 6 unchanged lines hidden (view full) --- 275security, they, like the privileged port test, are both vulnerable 276to 277.Dq IP spoofing 278attacks. 279.Pp 280.Ss NIS v1 compatibility 281This version of 282.Nm |
253has some support for serving NIS v1 clients. FreeBSD's NIS 254implementation only uses the NIS v2 protocol, however other implementations | 283has some support for serving 284.Tn NIS 285v1 clients. 286.Bx Free Ns 's 287.Tn NIS 288implementation only uses the 289.Tn NIS 290v2 protocol, however other implementations |
255include support for the v1 protocol for backwards compatibility 256with older systems. The 257.Xr ypbind 8 258daemons supplied with these systems will try to establish a binding | 291include support for the v1 protocol for backwards compatibility 292with older systems. The 293.Xr ypbind 8 294daemons supplied with these systems will try to establish a binding |
259to an NIS v1 260server even though they may never actually need it (and they may | 295to an 296.Tn NIS 297v1 server even though they may never actually need it (and they may |
261persist in broadcasting in search of one even after they receive a 262response from a v2 server). Note that while 263support for normal client calls is provided, this version of 264.Nm 265does not handle v1 map transfer requests; consequently, it can not | 298persist in broadcasting in search of one even after they receive a 299response from a v2 server). Note that while 300support for normal client calls is provided, this version of 301.Nm 302does not handle v1 map transfer requests; consequently, it can not |
266be used as a master or slave in conjunction with older NIS servers that | 303be used as a master or slave in conjunction with older 304.Tn NIS 305servers that |
267only support the v1 protocol. Fortunately, there probably aren't any 268such servers still in use today. 269.Ss NIS servers that are also NIS clients 270Care must be taken when running 271.Nm 272in a multi-server domain where the server machines are also | 306only support the v1 protocol. Fortunately, there probably aren't any 307such servers still in use today. 308.Ss NIS servers that are also NIS clients 309Care must be taken when running 310.Nm 311in a multi-server domain where the server machines are also |
273NIS clients. It is generally a good idea to force the servers to | 312.Tn NIS 313clients. It is generally a good idea to force the servers to |
274bind to themselves rather than allowing them to broadcast bind 275requests and possibly become bound to each other: strange failure 276modes can result if one server goes down and 277others are dependent upon on it. (Eventually all the clients will 278time out and attempt to bind to other servers, but the delay 279involved can be considerable and the failure mode is still present 280since the servers might bind to each other all over again). 281.Pp --- 24 unchanged lines hidden (view full) --- 306query. If the query is successful, 307.Nm 308will construct a fake database record and return it to the client, 309thereby making it seem as though the client's yp_match request 310succeeded. 311.Pp 312This feature is provided for compatiblity with SunOS 4.1.x, 313which has brain-damaged resolver functions in its standard C | 314bind to themselves rather than allowing them to broadcast bind 315requests and possibly become bound to each other: strange failure 316modes can result if one server goes down and 317others are dependent upon on it. (Eventually all the clients will 318time out and attempt to bind to other servers, but the delay 319involved can be considerable and the failure mode is still present 320since the servers might bind to each other all over again). 321.Pp --- 24 unchanged lines hidden (view full) --- 346query. If the query is successful, 347.Nm 348will construct a fake database record and return it to the client, 349thereby making it seem as though the client's yp_match request 350succeeded. 351.Pp 352This feature is provided for compatiblity with SunOS 4.1.x, 353which has brain-damaged resolver functions in its standard C |
314library that depend on NIS for hostname and address resolution. 315FreeBSD's resolver can be configured to do DNS | 354library that depend on 355.Tn NIS 356for hostname and address resolution. 357.Bx Free Ns 's 358resolver can be configured to do DNS |
316queries directly, therefore it is not necessary to enable this | 359queries directly, therefore it is not necessary to enable this |
317option when serving only FreeBSD NIS clients. | 360option when serving only 361.Bx Free 362.Tn NIS 363clients. |
318.It Fl d | 364.It Fl d |
319Causes the server to run in debugging mode. Normally, | 365Cause the server to run in debugging mode. Normally, |
320.Nm 321reports only unusual errors (access violations, file access failures) 322using the 323.Xr syslog 3 324facility. In debug mode, the server does not background 325itself and prints extra status messages to stderr for each 326request that it receives. Also, while running in debug mode, 327.Nm 328will not spawn any additional subprocesses as it normally does 329when handling yp_all requests or doing DNS lookups. (These actions 330often take a fair amount of time to complete and are therefore handled 331in subprocesses, allowing the parent server process to go on handling 332other requests.) This makes it easier to trace the server with 333a debugging tool. 334.It Fl p Ar path 335Normally, 336.Nm | 366.Nm 367reports only unusual errors (access violations, file access failures) 368using the 369.Xr syslog 3 370facility. In debug mode, the server does not background 371itself and prints extra status messages to stderr for each 372request that it receives. Also, while running in debug mode, 373.Nm 374will not spawn any additional subprocesses as it normally does 375when handling yp_all requests or doing DNS lookups. (These actions 376often take a fair amount of time to complete and are therefore handled 377in subprocesses, allowing the parent server process to go on handling 378other requests.) This makes it easier to trace the server with 379a debugging tool. 380.It Fl p Ar path 381Normally, 382.Nm |
337assumes that all NIS maps are stored under | 383assumes that all 384.Tn NIS 385maps are stored under |
338.Pa /var/yp . 339The 340.Fl p | 386.Pa /var/yp . 387The 388.Fl p |
341flag may be used to specify an alternate NIS root path, allowing | 389flag may be used to specify an alternate 390.Tn NIS 391root path, allowing |
342the system administrator to move the map files to a different place 343within the filesystem. 344.El 345.Sh FILES 346.Bl -tag -width Pa -compact 347.It Pa /var/yp/[domainname]/[maps] | 392the system administrator to move the map files to a different place 393within the filesystem. 394.El 395.Sh FILES 396.Bl -tag -width Pa -compact 397.It Pa /var/yp/[domainname]/[maps] |
348The NIS maps. | 398the 399.Tn NIS 400maps |
349.It Pa /etc/host.conf | 401.It Pa /etc/host.conf |
350Resolver configuration file. | 402resolver configuration file |
351.It Pa /var/yp/securenets | 403.It Pa /var/yp/securenets |
352Host access control file | 404host access control file |
353.El 354.Sh SEE ALSO 355.Xr ypcat 1 , 356.Xr db 3 , 357.Xr yp 4 , 358.Xr ypbind 8 , 359.Xr yppasswdd 8 , 360.Xr yppush 8 , 361.Xr ypxfr 8 362.Sh AUTHOR | 405.El 406.Sh SEE ALSO 407.Xr ypcat 1 , 408.Xr db 3 , 409.Xr yp 4 , 410.Xr ypbind 8 , 411.Xr yppasswdd 8 , 412.Xr yppush 8 , 413.Xr ypxfr 8 414.Sh AUTHOR |
363Bill Paul <wpaul@ctr.columbia.edu> | 415.An Bill Paul Aq wpaul@ctr.columbia.edu |
364.Sh HISTORY 365This version of 366.Nm 367first appeared in 368.Fx 2.2 . | 416.Sh HISTORY 417This version of 418.Nm 419first appeared in 420.Fx 2.2 . |