|Main index||Section 8||日本語||한국인||Options|
The ypserv utility is the server that distributes NIS databases to client systems within an NIS domain. Each client in an NIS domain must have its domainname set to one of the domains served by ypserv using the domainname(1) command. The clients must also run ypbind(8) in order to attach to a particular server, since it is possible to have several servers within a single NIS domain.
The databases distributed by ypserv are stored in /var/yp/[domainname] where domainname is the name of the domain being served. There can be several such directories with different domainnames, and you need only one ypserv daemon to handle them all.
The databases, or maps as they are often called, are created by /var/yp/Makefile using several system files as source. The database files are in db(3) format to help speed retrieval when there are many records involved. In FreeBSD , the maps are always readable and writable only by root for security reasons. Technically this is only necessary for the password maps, but since the data in the other maps can be found in other world-readable files anyway, it does not hurt and it is considered good general practice.
The ypserv utility is started by /etc/rc.d/ypserv if it has been enabled in /etc/rc.conf.
To make up for this, the FreeBSD version of ypserv handles the master.passwd.byname and master.passwd.byuid maps in a special way. When the server receives a request to access either of these two maps (or in fact either of the shadow.byname or shadow.byuid maps), it will check the TCP port from which the request originated and return an error if the port number is greater than 1023. Since only the superuser is allowed to bind to TCP ports with values less than 1024, the server can use this test to determine whether or not the access request came from a privileged user. Any requests made by non-privileged users are therefore rejected.
Furthermore, the getpwent(3) routines in the FreeBSD standard C library will only attempt to retrieve data from the master.passwd.byname and master.passwd.byuid maps for the superuser: if a normal user calls any of these functions, the standard passwd.byname and passwd.byuid maps will be accessed instead. The latter two maps are constructed by /var/yp/Makefile by parsing the master.passwd file and stripping out the password fields, and are therefore safe to pass on to unprivileged users. In this way, the shadow password aspect of the protected master.passwd database is maintained through NIS.
# allow connections from local host -- mandatory 127.0.0.1 255.255.255.255 # allow connections from any host # on the 192.168.128.0 network 192.168.128.0 255.255.255.0 # allow connections from any host # between 10.0.0.0 to 10.0.15.255 10.0.0.0 255.255.240.0
If ypserv receives a request from an address that matches one of these rules, it will process the request normally. If the address fails to match a rule, the request will be ignored and a warning message will be logged. If the /var/yp/securenets file does not exist, ypserv will allow connections from any host.
The ypserv utility also has support for Wietse Venema's tcpwrapper package. This allows the administrator to use the tcpwrapper configuration files ( /etc/hosts.allow and /etc/hosts.deny) for access control instead of /var/yp/securenets.
Note: while both of these access control mechanisms provide some security, they, like the privileged port test, are both vulnerable to "IP spoofing" attacks.
Refer to the ypbind(8) man page for details on how to force it to bind to a particular server.
This option affects the way
handles yp_match requests for the
By default, if
cannot find an entry for a given host in its hosts maps, it will
return an error and perform no further processing.
This feature is provided for compatibility with SunOS 4.1.x, which has brain-damaged resolver functions in its standard C library that depend on NIS for hostname and address resolution. The FreeBSD resolver can be configured to do DNS queries directly, therefore it is not necessary to enable this option when serving only FreeBSD NIS clients.
|Cause the server to run in debugging mode. Normally, ypserv reports only unusual errors (access violations, file access failures) using the syslog(3) facility. In debug mode, the server does not background itself and prints extra status messages to stderr for each request that it receives. Also, while running in debug mode, ypserv will not spawn any additional subprocesses as it normally does when handling yp_all requests or doing DNS lookups. (These actions often take a fair amount of time to complete and are therefore handled in subprocesses, allowing the parent server process to go on handling other requests.) This makes it easier to trace the server with a debugging tool.|
Specify a specific address to bind to for requests. This option may be
specified multiple times. If no
|Force ypserv to bind to a specific TCP/UDP port, rather than selecting its own.|
assumes that all
maps are stored under
|the NIS maps|
|name switch configuration file|
|host access control file|
|YPSERV (8)||December 13, 2009|
|Main index||Section 8||日本語||한국인||Options|
|“||Some people, when confronted with a problem, think “I know, I'll use regular expressions.” Now they have two problems.||”|
|— Jamie Zawinski|