mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
fix some typos, and some slight clean up...
Closes PR#3266
This commit is contained in:
parent
ec93646d18
commit
6ecb7b2027
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=24946
@ -28,21 +28,21 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $Id$
|
||||
.\" $Id: ypserv.8,v 1.11 1997/02/22 16:15:14 peter Exp $
|
||||
.\"
|
||||
.Dd February 4, 1995
|
||||
.Dt YPSERV 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm ypserv
|
||||
.Nd "NIS database server"
|
||||
.Nd NIS database server
|
||||
.Sh SYNOPSIS
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
.Op Fl n
|
||||
.Op Fl d
|
||||
.Op Fl p Ar path
|
||||
.Sh DESCRIPTION
|
||||
.Nm NIS
|
||||
.Tn NIS
|
||||
is an RPC-based service designed to allow a number of UNIX-based
|
||||
machines to share a common set of configuration files. Rather than
|
||||
requiring a system administrator to update several copies of files
|
||||
@ -55,13 +55,14 @@ which tend to require frequent changes in most environments, NIS
|
||||
allows groups of computers to share one set of data which can be
|
||||
updated from a single location.
|
||||
.Pp
|
||||
.Nm ypserv
|
||||
is the server that distributes NIS databases
|
||||
The
|
||||
.Nm
|
||||
program is the server that distributes NIS databases
|
||||
to client systems within an NIS
|
||||
.Nm domain.
|
||||
.Em domain .
|
||||
Each client in an NIS domain must have its domainname set to
|
||||
one of the domains served by
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
using the
|
||||
.Xr domainname 1
|
||||
command. The clients must also run
|
||||
@ -70,21 +71,21 @@ in order to attach to a particular server, since it is possible to
|
||||
have several servers within a single NIS domain.
|
||||
.Pp
|
||||
The databases distributed by
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
are stored in
|
||||
.Pa /var/yp/[domainname]
|
||||
where
|
||||
.Pa domainname
|
||||
is the name of the domain being served. There can be several
|
||||
such directories with different domainnames, and you need only one
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
daemon to handle them all.
|
||||
.Pp
|
||||
The databases, or
|
||||
.Pa maps
|
||||
as they are often called,
|
||||
are created by
|
||||
.Nm /var/yp/Makefile
|
||||
.Pa /var/yp/Makefile
|
||||
using several system files as source. The database files are in
|
||||
.Xr db 3
|
||||
format to help speed retrieval when there are many records involved.
|
||||
@ -95,11 +96,12 @@ maps, but since the data in the other maps can be found in
|
||||
other world-readable files anyway, it doesn't hurt and it's considered
|
||||
good general practice.
|
||||
.Pp
|
||||
.Nm ypserv
|
||||
is started by
|
||||
.Nm /etc/rc
|
||||
The
|
||||
.Nm
|
||||
program is started by
|
||||
.Pa /etc/rc
|
||||
if it has been enabled in
|
||||
.Nm /etc/sysconfig.
|
||||
.Pa /etc/sysconfig .
|
||||
.Sh SPECIAL FEATURES
|
||||
There are some problems associated with distributing FreeBSD's password
|
||||
database via NIS: FreeBSD normally only stores encrypted passwords
|
||||
@ -109,7 +111,7 @@ which is readable and writable only by root. By turning this file
|
||||
into an NIS map, this security feature would be completely defeated.
|
||||
.Pp
|
||||
To make up for this, the FreeBSD version of
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
handles the
|
||||
.Pa master.passwd.byname
|
||||
and
|
||||
@ -135,7 +137,7 @@ the standard
|
||||
and
|
||||
.Pa passwd.byuid
|
||||
maps will be accessed instead. The latter two maps are constructed by
|
||||
.Nm /var/yp/Makefile
|
||||
.Pa /var/yp/Makefile
|
||||
by parsing the
|
||||
.Pa master.passwd
|
||||
file and stripping out the password fields, and are therefore
|
||||
@ -151,16 +153,18 @@ that users should
|
||||
be aware of:
|
||||
.Bl -enum -offset indent
|
||||
.It
|
||||
The 'TCP port less than 1024' test is trivial to defeat for users with
|
||||
The
|
||||
.Sq TCP port less than 1024
|
||||
test is trivial to defeat for users with
|
||||
unrestricted access to machines on your network (even those machines
|
||||
which do not run UNIX-based operating systems).
|
||||
.It
|
||||
If you plan to use a FreeBSD system to serve non-FreeBSD clients that
|
||||
have no support for password shadowing (which is most of them), you
|
||||
will have to disable the password shadowing entirely by uncommenting the
|
||||
.Nm UNSECURE=True
|
||||
.Em UNSECURE=True
|
||||
entry in
|
||||
.Nm /var/yp/Makefile .
|
||||
.Pa /var/yp/Makefile .
|
||||
This will cause the standard
|
||||
.Pa passwd.byname
|
||||
and
|
||||
@ -172,25 +176,27 @@ authentication through NIS.
|
||||
.Pp
|
||||
.Ss Security
|
||||
In general, any remote user can issue an RPC to
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
and retrieve the contents of your NIS maps, provided the remote user
|
||||
knows your domain name. To prevent such unauthorized transactions,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
supports a feature called
|
||||
.Pa securenets
|
||||
which can be used to restrict access to a given set of hosts.
|
||||
At startup,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
will attempt to load the securenets information from a file
|
||||
called
|
||||
.Nm /var/yp/securenets .
|
||||
.Pa /var/yp/securenets .
|
||||
(Note that this path varies depending on the path specified with
|
||||
the
|
||||
.Fl p
|
||||
option, which is explained below.) This file contains entries
|
||||
that consist of a network specification and a network mask separated
|
||||
by white space.
|
||||
Lines starting with ``#'' are considered to be comments. A
|
||||
Lines starting with
|
||||
.Dq \&#
|
||||
are considered to be comments. A
|
||||
sample securenets file might look like this:
|
||||
.Bd -unfilled -offset indent
|
||||
# allow connections from local host -- mandatory
|
||||
@ -204,28 +210,29 @@ sample securenets file might look like this:
|
||||
.Ed
|
||||
.Pp
|
||||
If
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
receives a request from an address that matches one of these rules,
|
||||
it will process the request normally. If the address fails to match
|
||||
a rule, the request will be ignored and a warning message will be
|
||||
logged. If the
|
||||
.Pa /var/yp/securenets
|
||||
file does not exist,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
will allow connections from any host.
|
||||
.Pp
|
||||
.Nm Ypserv
|
||||
also has support for Wietse Venema's
|
||||
.Pa tcpwrapper
|
||||
The
|
||||
.Nm
|
||||
program also has support for Wietse Venema's
|
||||
.Em tcpwrapper
|
||||
package, though it is not compiled in by default since
|
||||
the
|
||||
.Pa tcpwrapper
|
||||
.Em tcpwrapper
|
||||
package is not distributed with FreeBSD. However, if you have
|
||||
.Nm libwrap.a
|
||||
.Pa libwrap.a
|
||||
and
|
||||
.Nm tcpd.h ,
|
||||
.Pa tcpd.h ,
|
||||
you can easily recompile
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
with them. This allows the administrator to use the tcpwrapper
|
||||
configuration files (
|
||||
.Pa /etc/hosts.allow
|
||||
@ -236,11 +243,13 @@ for access control instead of
|
||||
.Pp
|
||||
Note: while both of these access control mechanisms provide some
|
||||
security, they, like the privileged port test, are both vulnerable
|
||||
to ``IP spoofing'' attacks.
|
||||
to
|
||||
.Dq IP spoofing
|
||||
attacks.
|
||||
.Pp
|
||||
.Ss NIS v1 compatibility
|
||||
This version of
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
has some support for serving NIS v1 clients. FreeBSD's NIS
|
||||
implementation only uses the NIS v2 protocol, however other implementations
|
||||
include support for the v1 protocol for backwards compatibility
|
||||
@ -252,14 +261,14 @@ server even though they may never actually need it (and they may
|
||||
persist in broadcasting in search of one even after they receive a
|
||||
response from a v2 server). Note that while
|
||||
support for normal client calls is provided, this version of
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
does not handle v1 map transfer requests; consequently, it can not
|
||||
be used as a master or slave in conjunction with older NIS servers that
|
||||
only support the v1 protocol. Fortunately, there probably aren't any
|
||||
such servers still in use today.
|
||||
.Ss NIS servers that are also NIS clients
|
||||
Care must be taken when running
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
in a multi-server domain where the server machines are also
|
||||
NIS clients. It is generally a good idea to force the servers to
|
||||
bind to themselves rather than allowing them to broadcast bind
|
||||
@ -276,26 +285,26 @@ man page for details on how to force it to bind to a particular
|
||||
server.
|
||||
.Sh OPTIONS
|
||||
The following options are supported by
|
||||
.Nm ypserv :
|
||||
.Nm Ns :
|
||||
.Bl -tag -width flag
|
||||
.It Fl n
|
||||
This option affects the way
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
handles yp_match requests for the
|
||||
.Pa hosts.byname
|
||||
and
|
||||
.Pa hosts.byaddress
|
||||
maps. By default, if
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
can't find an entry for a given host in its hosts maps, it will
|
||||
return an error and perform no further processing. With the
|
||||
.Fl n
|
||||
flag,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
will go one step further: rather than giving up immediately, it
|
||||
will try to resolve the hostname or address using a DNS nameserver
|
||||
query. If the query is successful,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
will construct a fake database record and return it to the client,
|
||||
thereby making it seem as though the client's yp_match request
|
||||
succeeded.
|
||||
@ -308,14 +317,14 @@ queries directly, therefore it is not necessary to enable this
|
||||
option when serving only FreeBSD NIS clients.
|
||||
.It Fl d
|
||||
Causes the server to run in debugging mode. Normally,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
reports only unusual errors (access violations, file access failures)
|
||||
using the
|
||||
.Xr syslog 3
|
||||
facility. In debug mode, the server does not background
|
||||
itself and prints extra status messages to stderr for each
|
||||
request that it revceives. Also, while running in debug mode,
|
||||
.Nm ypserv
|
||||
request that it receives. Also, while running in debug mode,
|
||||
.Nm
|
||||
will not spawn any additional subprocesses as it normally does
|
||||
when handling yp_all requests or doing DNS lookups. (These actions
|
||||
often take a fair amount of time to complete and are therefore handled
|
||||
@ -324,7 +333,7 @@ other requests.) This makes it easier to trace the server with
|
||||
a debugging tool.
|
||||
.It Fl p Ar path
|
||||
Normally,
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
assumes that all NIS maps are stored under
|
||||
.Pa /var/yp .
|
||||
The
|
||||
@ -354,6 +363,6 @@ Host access control file
|
||||
Bill Paul <wpaul@ctr.columbia.edu>
|
||||
.Sh HISTORY
|
||||
This version of
|
||||
.Nm ypserv
|
||||
.Nm
|
||||
first appeared in
|
||||
.Fx 2.2 .
|
||||
|
Loading…
Reference in New Issue
Block a user