1.\" Copyright (c) 1995 2.\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by Bill Paul. 15.\" 4. Neither the name of the author nor the names of any co-contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD: src/usr.sbin/ypserv/ypserv.8,v 1.22.2.8 2002/12/29 16:35:44 schweikh Exp $ 32.\" $DragonFly: src/usr.sbin/ypserv/ypserv.8,v 1.5 2006/03/26 22:56:58 swildner Exp $ 33.\" 34.Dd February 4, 1995 35.Dt YPSERV 8 36.Os 37.Sh NAME 38.Nm ypserv 39.Nd NIS database server 40.Sh SYNOPSIS 41.Nm 42.Op Fl n 43.Op Fl d 44.Op Fl p Ar path 45.Sh DESCRIPTION 46.Tn NIS 47is an RPC-based service designed to allow a number of UNIX-based 48machines to share a common set of configuration files. 49Rather than 50requiring a system administrator to update several copies of files 51such as 52.Pa /etc/hosts , 53.Pa /etc/passwd 54and 55.Pa /etc/group , 56which tend to require frequent changes in most environments, 57.Tn NIS 58allows groups of computers to share one set of data which can be 59updated from a single location. 60.Pp 61The 62.Nm 63program is the server that distributes 64.Tn NIS 65databases to client systems within an 66.Tn NIS 67.Em domain . 68Each client in an 69.Tn NIS 70domain must have its domainname set to 71one of the domains served by 72.Nm 73using the 74.Xr domainname 1 75command. 76The clients must also run 77.Xr ypbind 8 78in order to attach to a particular server, since it is possible to 79have several servers within a single 80.Tn NIS 81domain. 82.Pp 83The databases distributed by 84.Nm 85are stored in 86.Pa /var/yp/[domainname] 87where 88.Pa domainname 89is the name of the domain being served. 90There can be several 91such directories with different domainnames, and you need only one 92.Nm 93daemon to handle them all. 94.Pp 95The databases, or 96.Pa maps 97as they are often called, 98are created by 99.Pa /var/yp/Makefile 100using several system files as source. 101The database files are in 102.Xr db 3 103format to help speed retrieval when there are many records involved. 104In 105.Dx , 106the maps are always readable and writable only by root for security 107reasons. 108Technically this is only necessary for the password 109maps, but since the data in the other maps can be found in 110other world-readable files anyway, it doesn't hurt and it's considered 111good general practice. 112.Pp 113The 114.Nm 115program is started by 116.Pa /etc/rc.network 117if it has been enabled in 118.Pa /etc/rc.conf . 119.Sh SPECIAL FEATURES 120There are some problems associated with distributing a 121.Dx 122password 123database via 124.Tn NIS Ns : 125.Dx 126normally only stores encrypted passwords 127in 128.Pa /etc/master.passwd , 129which is readable and writable only by root. 130By turning this file 131into an 132.Tn NIS 133map, this security feature would be completely defeated. 134.Pp 135To make up for this, the 136.Dx 137version of 138.Nm 139handles the 140.Pa master.passwd.byname 141and 142.Pa master.passwd.byuid 143maps in a special way. 144When the server receives a request to access 145either of these two maps, it will check the TCP port from which the 146request originated and return an error if the port number is greater 147than 1023. 148Since only the superuser is allowed to bind to TCP ports 149with values less than 1024, the server can use this test to determine 150whether or not the access request came from a privileged user. 151Any requests made by non-privileged users are therefore rejected. 152.Pp 153Furthermore, the 154.Xr getpwent 3 155routines in the 156.Dx 157standard C library will only attempt to retrieve 158data from the 159.Pa master.passwd.byname 160and 161.Pa master.passwd.byuid 162maps for the superuser: if a normal user calls any of these functions, 163the standard 164.Pa passwd.byname 165and 166.Pa passwd.byuid 167maps will be accessed instead. 168The latter two maps are constructed by 169.Pa /var/yp/Makefile 170by parsing the 171.Pa master.passwd 172file and stripping out the password fields, and are therefore 173safe to pass on to unprivileged users. 174In this way, the shadow password 175aspect of the protected 176.Pa master.passwd 177database is maintained through 178.Tn NIS . 179.Sh NOTES 180.Ss Setting Up Master and Slave Servers 181.Xr ypinit 8 182is a convenient script that will help setup master and slave 183.Tn NIS 184servers. 185.Ss Limitations 186There are two problems inherent with password shadowing in 187.Tn NIS 188that users should 189be aware of: 190.Bl -enum -offset indent 191.It 192The 193.Sq TCP port less than 1024 194test is trivial to defeat for users with 195unrestricted access to machines on your network (even those machines 196which do not run UNIX-based operating systems). 197.It 198If you plan to use a 199.Dx 200system to serve 201.No non- Ns Dx Ns / Ns Fx 202clients that 203have no support for password shadowing (which is most of them), you 204will have to disable the password shadowing entirely by uncommenting the 205.Em UNSECURE=True 206entry in 207.Pa /var/yp/Makefile . 208This will cause the standard 209.Pa passwd.byname 210and 211.Pa passwd.byuid 212maps to be generated with valid encrypted password fields, which is 213necessary in order for 214.No non- Ns Dx Ns / Ns Fx 215clients to perform user 216authentication through 217.Tn NIS . 218.El 219.Ss Security 220In general, any remote user can issue an RPC to 221.Nm 222and retrieve the contents of your 223.Tn NIS 224maps, provided the remote user 225knows your domain name. 226To prevent such unauthorized transactions, 227.Nm 228supports a feature called 229.Pa securenets 230which can be used to restrict access to a given set of hosts. 231At startup, 232.Nm 233will attempt to load the securenets information from a file 234called 235.Pa /var/yp/securenets . 236(Note that this path varies depending on the path specified with 237the 238.Fl p 239option, which is explained below.) 240This file contains entries 241that consist of a network specification and a network mask separated 242by white space. 243Lines starting with 244.Dq \&# 245are considered to be comments. 246A 247sample securenets file might look like this: 248.Bd -unfilled -offset indent 249# allow connections from local host -- mandatory 250127.0.0.1 255.255.255.255 251# allow connections from any host 252# on the 192.168.128.0 network 253192.168.128.0 255.255.255.0 254# allow connections from any host 255# between 10.0.0.0 to 10.0.15.255 25610.0.0.0 255.255.240.0 257.Ed 258.Pp 259If 260.Nm 261receives a request from an address that matches one of these rules, 262it will process the request normally. 263If the address fails to match 264a rule, the request will be ignored and a warning message will be 265logged. 266If the 267.Pa /var/yp/securenets 268file does not exist, 269.Nm 270will allow connections from any host. 271.Pp 272The 273.Nm 274program also has support for Wietse Venema's 275.Em tcpwrapper 276package, though it is not compiled in by default since 277the 278.Em tcpwrapper 279package is not distributed with 280.Dx . 281However, if you have 282.Pa libwrap.a 283and 284.Pa tcpd.h , 285you can easily recompile 286.Nm 287with them. 288This allows the administrator to use the tcpwrapper 289configuration files 290.Pa ( /etc/hosts.allow 291and 292.Pa /etc/hosts.deny ) 293for access control instead of 294.Pa /var/yp/securenets . 295.Pp 296Note: while both of these access control mechanisms provide some 297security, they, like the privileged port test, are both vulnerable 298to 299.Dq IP spoofing 300attacks. 301.Ss NIS v1 compatibility 302This version of 303.Nm 304has some support for serving 305.Tn NIS 306v1 clients. 307The 308.Dx 309.Tn NIS 310implementation only uses the 311.Tn NIS 312v2 protocol, however other implementations 313include support for the v1 protocol for backwards compatibility 314with older systems. 315The 316.Xr ypbind 8 317daemons supplied with these systems will try to establish a binding 318to an 319.Tn NIS 320v1 server even though they may never actually need it (and they may 321persist in broadcasting in search of one even after they receive a 322response from a v2 server). Note that while 323support for normal client calls is provided, this version of 324.Nm 325does not handle v1 map transfer requests; consequently, it cannot 326be used as a master or slave in conjunction with older 327.Tn NIS 328servers that 329only support the v1 protocol. 330Fortunately, there probably aren't any 331such servers still in use today. 332.Ss NIS servers that are also NIS clients 333Care must be taken when running 334.Nm 335in a multi-server domain where the server machines are also 336.Tn NIS 337clients. 338It is generally a good idea to force the servers to 339bind to themselves rather than allowing them to broadcast bind 340requests and possibly become bound to each other: strange failure 341modes can result if one server goes down and 342others are dependent upon on it. 343(Eventually all the clients will 344time out and attempt to bind to other servers, but the delay 345involved can be considerable and the failure mode is still present 346since the servers might bind to each other all over again). 347.Pp 348Refer to the 349.Xr ypbind 8 350man page for details on how to force it to bind to a particular 351server. 352.Sh OPTIONS 353The following options are supported by 354.Nm : 355.Bl -tag -width flag 356.It Fl n 357This option affects the way 358.Nm 359handles yp_match requests for the 360.Pa hosts.byname 361and 362.Pa hosts.byaddress 363maps. 364By default, if 365.Nm 366can't find an entry for a given host in its hosts maps, it will 367return an error and perform no further processing. 368With the 369.Fl n 370flag, 371.Nm 372will go one step further: rather than giving up immediately, it 373will try to resolve the hostname or address using a DNS nameserver 374query. 375If the query is successful, 376.Nm 377will construct a fake database record and return it to the client, 378thereby making it seem as though the client's yp_match request 379succeeded. 380.Pp 381This feature is provided for compatibility with SunOS 4.1.x, 382which has brain-damaged resolver functions in its standard C 383library that depend on 384.Tn NIS 385for hostname and address resolution. 386The 387.Dx 388resolver can be configured to do DNS 389queries directly, therefore it is not necessary to enable this 390option when serving only 391.Dx 392.Tn NIS 393clients. 394.It Fl d 395Cause the server to run in debugging mode. 396Normally, 397.Nm 398reports only unusual errors (access violations, file access failures) 399using the 400.Xr syslog 3 401facility. 402In debug mode, the server does not background 403itself and prints extra status messages to stderr for each 404request that it receives. 405Also, while running in debug mode, 406.Nm 407will not spawn any additional subprocesses as it normally does 408when handling yp_all requests or doing DNS lookups. 409(These actions 410often take a fair amount of time to complete and are therefore handled 411in subprocesses, allowing the parent server process to go on handling 412other requests.) 413This makes it easier to trace the server with 414a debugging tool. 415.It Fl p Ar path 416Normally, 417.Nm 418assumes that all 419.Tn NIS 420maps are stored under 421.Pa /var/yp . 422The 423.Fl p 424flag may be used to specify an alternate 425.Tn NIS 426root path, allowing 427the system administrator to move the map files to a different place 428within the filesystem. 429.El 430.Sh FILES 431.Bl -tag -width Pa -compact 432.It Pa /var/yp/[domainname]/[maps] 433the 434.Tn NIS 435maps 436.It Pa /etc/host.conf 437resolver configuration file 438.It Pa /var/yp/securenets 439host access control file 440.El 441.Sh SEE ALSO 442.Xr ypcat 1 , 443.Xr db 3 , 444.Xr rpc.yppasswdd 8 , 445.Xr yp 8 , 446.Xr ypbind 8 , 447.Xr ypinit 8 , 448.Xr yppush 8 , 449.Xr ypxfr 8 450.Sh HISTORY 451This version of 452.Nm 453first appeared in 454.Fx 2.2 . 455.Sh AUTHORS 456.An Bill Paul Aq wpaul@ctr.columbia.edu 457