From owner-svn-src-stable@FreeBSD.ORG Sat Jul 18 20:19:26 2009 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71F99106566C; Sat, 18 Jul 2009 20:19:26 +0000 (UTC) (envelope-from brian@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 5CE8C8FC20; Sat, 18 Jul 2009 20:19:26 +0000 (UTC) (envelope-from brian@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n6IKJQXx010798; Sat, 18 Jul 2009 20:19:26 GMT (envelope-from brian@svn.freebsd.org) Received: (from brian@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n6IKJPIX010790; Sat, 18 Jul 2009 20:19:25 GMT (envelope-from brian@svn.freebsd.org) Message-Id: <200907182019.n6IKJPIX010790@svn.freebsd.org> From: Brian Somers Date: Sat, 18 Jul 2009 20:19:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r195756 - in stable/7: share/man/man8 usr.bin/ypcat usr.bin/ypmatch usr.bin/ypwhich usr.sbin/ypserv X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2009 20:19:27 -0000 Author: brian Date: Sat Jul 18 20:19:25 2009 New Revision: 195756 URL: http://svn.freebsd.org/changeset/base/195756 Log: MFC: Support shadow.byname and shadow.byuid maps, protecting them by insisting on privileged port access. Include /var/yp/Makefile.local if it exists and suggest using it to override /var/yp/Makefile behaviour. Modified: stable/7/share/man/man8/ (props changed) stable/7/share/man/man8/yp.8 stable/7/usr.bin/ypcat/ (props changed) stable/7/usr.bin/ypcat/ypcat.c stable/7/usr.bin/ypmatch/ (props changed) stable/7/usr.bin/ypmatch/ypmatch.c stable/7/usr.bin/ypwhich/ (props changed) stable/7/usr.bin/ypwhich/ypwhich.c stable/7/usr.sbin/ypserv/ (props changed) stable/7/usr.sbin/ypserv/Makefile.yp stable/7/usr.sbin/ypserv/yp_access.c stable/7/usr.sbin/ypserv/ypserv.8 Modified: stable/7/share/man/man8/yp.8 ============================================================================== --- stable/7/share/man/man8/yp.8 Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/share/man/man8/yp.8 Sat Jul 18 20:19:25 2009 (r195756) @@ -28,7 +28,7 @@ .\" from: @(#)yp.8 1.0 (deraadt) 4/26/93 .\" $FreeBSD$ .\" -.Dd April 5, 1993 +.Dd June 25, 2009 .Dt YP 8 .Os .Sh NAME @@ -310,9 +310,15 @@ The .Tn NIS .Pa Makefile .Pq Pa /var/yp/Makefile -will do this automatically if the administrator comments out the -line which says -.Dq Li NOPUSH=true +will do this automatically if the administrator creates +.Pa /var/yp/Makefile.local +and empties the +.Va NOPUSH +variable: +.Bd -literal -offset four +.Li NOPUSH= +.Ed +.Pp .Va ( NOPUSH is set to true by default because the default configuration is for a small network with only one @@ -394,9 +400,11 @@ To help prevent this, .Fx Ns 's .Tn NIS server handles the shadow password maps -.Pa ( master.passwd.byname +.Pa ( master.passwd.byname , +.Pa master.passwd.byuid , +.Pa shadow.byname and -.Pa master.passwd.byuid ) +.Pa shadow.byuid ) in a special way: the server will only provide access to these maps in response to requests that originate on privileged ports. Since only the super-user is allowed to bind to a privileged port, Modified: stable/7/usr.bin/ypcat/ypcat.c ============================================================================== --- stable/7/usr.bin/ypcat/ypcat.c Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.bin/ypcat/ypcat.c Sat Jul 18 20:19:25 2009 (r195756) @@ -52,6 +52,7 @@ struct ypalias { } ypaliases[] = { { "passwd", "passwd.byname" }, { "master.passwd", "master.passwd.byname" }, + { "shadow", "shadow.byname" }, { "group", "group.byname" }, { "networks", "networks.byaddr" }, { "hosts", "hosts.byaddr" }, Modified: stable/7/usr.bin/ypmatch/ypmatch.c ============================================================================== --- stable/7/usr.bin/ypmatch/ypmatch.c Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.bin/ypmatch/ypmatch.c Sat Jul 18 20:19:25 2009 (r195756) @@ -52,6 +52,7 @@ struct ypalias { } ypaliases[] = { { "passwd", "passwd.byname" }, { "master.passwd", "master.passwd.byname" }, + { "shadow", "shadow.byname" }, { "group", "group.byname" }, { "networks", "networks.byaddr" }, { "hosts", "hosts.byname" }, Modified: stable/7/usr.bin/ypwhich/ypwhich.c ============================================================================== --- stable/7/usr.bin/ypwhich/ypwhich.c Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.bin/ypwhich/ypwhich.c Sat Jul 18 20:19:25 2009 (r195756) @@ -64,6 +64,7 @@ struct ypalias { } ypaliases[] = { { "passwd", "passwd.byname" }, { "master.passwd", "master.passwd.byname" }, + { "shadow", "shadow.byname" }, { "group", "group.byname" }, { "networks", "networks.byaddr" }, { "hosts", "hosts.byaddr" }, Modified: stable/7/usr.sbin/ypserv/Makefile.yp ============================================================================== --- stable/7/usr.sbin/ypserv/Makefile.yp Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.sbin/ypserv/Makefile.yp Sat Jul 18 20:19:25 2009 (r195756) @@ -11,33 +11,40 @@ # This Makefile can be modified to support more NIS maps if desired. # -# If this machine is an NIS master, comment out this next line so -# that changes to the NIS maps can be propagated to the slave servers. -# (By default we assume that we are only serving a small domain with -# only one server.) +# If this machine is an NIS master, reset this variable (NOPUSH=) +# in Makefile.local so that changes to the NIS maps can be propagated to +# the slave servers. (By default we assume that we are only serving a +# small domain with only one server.) # NOPUSH = "True" +# If this machine does not wish to generate a linux-style shadow map +# from the master.passwd file, reset this variable (SHADOW=) in +# Makefile.local. +SHADOW = "True" + # If you want to use a FreeBSD NIS server to serve non-FreeBSD clients # (i.e. clients who expect the password field in the passwd maps to be -# valid) then uncomment this line. This will cause $YPDIR/passwd to -# be generated with valid password fields. This is insecure: FreeBSD -# normally only serves the master.passwd maps (which have real encrypted -# passwords in them) to the superuser on other FreeBSD machines, but -# non-FreeBSD clients (e.g. SunOS, Solaris (without NIS+), IRIX, HP-UX, -# etc...) will only work properly in 'unsecure' mode. +# valid) then set this variable (UNSECURE="True") in Makefile.local. +# This will cause $YPDIR/passwd to be generated with valid password +# fields. This is insecure: FreeBSD normally only serves the +# master.passwd and shadow maps (which have real encrypted passwords +# in them) to the superuser on other FreeBSD machines, but non-FreeBSD +# clients (e.g. SunOS, Solaris (without NIS+), IRIX, HP-UX, etc...) +# will only work properly in 'unsecure' mode. # #UNSECURE = "True" # The following line encodes the YP_INTERDOMAIN key into the hosts.byname # and hosts.byaddr maps so that ypserv(8) will do DNS lookups to resolve -# hosts not in the current domain. Commenting this line out will disable -# the DNS lookups. +# hosts not in the current domain. Resetting this variable in +# Makefile.local (B=) will disable the DNS lookups. B=-b -# Normally, the master.passwd.* maps are guarded against access from -# non-privileged users. By commenting out the following line, the YP_SECURE -# key will be removed from these maps, allowing anyone to access them. +# Normally, the master.passwd.* and shadow.* maps are guarded against access +# from non-privileged users. By resetting S in Makefile.local (S=), the +# YP_SECURE key will be removed from these maps, allowing anyone to access +# them. S=-s # These are commands which this Makefile needs to properly rebuild the @@ -118,6 +125,17 @@ PUBLICKEY = $(YPSRCDIR)/publickey NETID = $(YPSRCDIR)/netid AMDHOST = $(YPSRCDIR)/amd.map +target: + @if [ ! -d $(DOMAIN) ]; then mkdir $(DOMAIN); fi; \ + cd $(DOMAIN) ; echo "NIS Map update started on `date` for domain $(DOMAIN)" ; \ + make -f ../Makefile all; echo "NIS Map update completed." + +# Read overrides. Note, the current directory will be /var/yp/ +# when 'all' is built. +.if exists(${YPDIR}/Makefile.local) +.include "${YPDIR}/Makefile.local" +.endif + # List of maps that are always built. # If you want to omit some of them, feel free to comment # them out from this list. @@ -148,6 +166,9 @@ NETGROUP= /dev/null .if exists($(MASTER)) TARGETS+= passwd master.passwd netid +.if ${SHADOW} == "\"True\"" +TARGETS+= shadow +.endif .else MASTER= /dev/null TARGETS+= nopass @@ -171,11 +192,6 @@ TARGETS+= ipnodes IPNODES= /dev/null .endif -target: - @if [ ! -d $(DOMAIN) ]; then mkdir $(DOMAIN); fi; \ - cd $(DOMAIN) ; echo "NIS Map update started on `date` for domain $(DOMAIN)" ; \ - make -f ../Makefile all; echo "NIS Map update completed." - all: $(TARGETS) ethers: ethers.byname ethers.byaddr @@ -187,6 +203,7 @@ protocols: protocols.bynumber protocols. rpc: rpc.byname rpc.bynumber services: services.byname passwd: passwd.byname passwd.byuid +shadow: shadow.byname shadow.byuid group: group.byname group.bygid netgrp: netgroup netid: netid.byname @@ -207,6 +224,10 @@ pushpw: @$(DBLOAD) -c @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) master.passwd.byname ; fi @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) master.passwd.byuid ; fi +.if ${SHADOW} == "\"True\"" + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) shadow.byname ; fi + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) shadow.byuid ; fi +.endif @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) passwd.byname ; fi @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) passwd.byuid ; fi @@ -586,6 +607,36 @@ master.passwd.byuid: $(MASTER) .endif +shadow.byname: $(MASTER) + @echo "Updating $@..." +.if ${MASTER} == "/dev/null" + @echo "Master.passwd source file not found -- skipping" +.else + @$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ + print $$1"\t"$$1":"$$2":12000:0:99999:7:::" }' $(MASTER) \ + | sed 's/\( [^:]*:\)\*:/\1!:/' \ + | $(DBLOAD) ${S} -f -i $(PASSWD) -o $(YPMAPDIR)/$@ - $(TMP); \ + $(RMV) $(TMP) $@ + @$(DBLOAD) -c + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi +.endif + +shadow.byuid: $(MASTER) + @echo "Updating $@..." +.if ${MASTER} == "/dev/null" + @echo "Master.passwd source file not found -- skipping" +.else + @$(AWK) -F: '{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 != "+") \ + print $$3"\t"$$1":"$$2":12000:0:99999:7:::" }' $(MASTER) \ + | sed 's/\( [^:]*:\)\*:/\1!:/' \ + | $(DBLOAD) ${S} -f -i $(PASSWD) -o $(YPMAPDIR)/$@ - $(TMP); \ + $(RMV) $(TMP) $@ + @$(DBLOAD) -c + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi +.endif + amd.map: $(AMDHOST) @echo "Updating $@..." @$(AWK) '$$1 !~ "^#.*" { \ @@ -604,4 +655,3 @@ amd.map: $(AMDHOST) @$(DBLOAD) -c @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi - Modified: stable/7/usr.sbin/ypserv/yp_access.c ============================================================================== --- stable/7/usr.sbin/ypserv/yp_access.c Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.sbin/ypserv/yp_access.c Sat Jul 18 20:19:25 2009 (r195756) @@ -178,9 +178,9 @@ load_securenets(void) * yp_access() checks the mapname and client host address and watches for * the following things: * - * - If the client is referencing one of the master.passwd.* maps, it must - * be using a privileged port to make its RPC to us. If it is, then we can - * assume that the caller is root and allow the RPC to succeed. If it + * - If the client is referencing one of the master.passwd.* or shadow.* maps, + * it must be using a privileged port to make its RPC to us. If it is, then + * we can assume that the caller is root and allow the RPC to succeed. If it * isn't access is denied. * * - The client's IP address is checked against the securenets rules. @@ -254,7 +254,7 @@ possible spoof attempt from %s:%d", #ifdef DB_CACHE if ((yp_testflag((char *)map, (char *)domain, YP_SECURE) || #else - if ((strstr(map, "master.passwd.") || + if ((strstr(map, "master.passwd.") || strstr(map, "shadow.") || #endif (rqstp->rq_prog == YPPROG && rqstp->rq_proc == YPPROC_XFR) || Modified: stable/7/usr.sbin/ypserv/ypserv.8 ============================================================================== --- stable/7/usr.sbin/ypserv/ypserv.8 Sat Jul 18 17:38:18 2009 (r195755) +++ stable/7/usr.sbin/ypserv/ypserv.8 Sat Jul 18 20:19:25 2009 (r195756) @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 3, 2008 +.Dd June 25, 2009 .Dt YPSERV 8 .Os .Sh NAME @@ -142,7 +142,11 @@ and .Pa master.passwd.byuid maps in a special way. When the server receives a request to access -either of these two maps, it will check the TCP port from which the +either of these two maps (or in fact either of the +.Pa shadow.byname +or +.Pa shadow.byuid +maps), it will check the TCP port from which the request originated and return an error if the port number is greater than 1023. Since only the superuser is allowed to bind to TCP ports