From owner-freebsd-hackers Tue Jan 10 21:52:41 1995 Return-Path: hackers-owner Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id VAA18754 for hackers-outgoing; Tue, 10 Jan 1995 21:52:41 -0800 Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.cdrom.com (8.6.9/8.6.6) with ESMTP id VAA18748 for ; Tue, 10 Jan 1995 21:52:37 -0800 Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.8/8.6.6) id AAA00346 for freebsd-hackers@freebsd.org; Wed, 11 Jan 1995 00:50:43 -0500 From: Wankle Rotary Engine Message-Id: <199501110550.AAA00346@skynet.ctr.columbia.edu> Subject: First cut of NIS server code To: freebsd-hackers@FreeBSD.org Date: Wed, 11 Jan 1995 00:50:39 -0500 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 5715 Sender: hackers-owner@FreeBSD.org Precedence: bulk Okay boys & girls: I've uploaded the first cut of the ypserv stuff I've been working on to freefall:/incoming/ypserv-2.0-current.tar.gz. (Hope that's the right place.) Here come some notes: The archive includes sources for ypserv, ypxfr, yppush, yppasswdd, yp_mkdb and a modified /usr/bin/passwd that has yppasswd rolled into it. There are binaries supplied too. The Makefiles were shamelessly stolen and adapted from other parts of the FreeBSD source tree. There is a getpwent.c.diff patch which needs to be applied to getpwent.c in libc in order to properly allow a FreeBSD NIS client to properly handle password maps in the master.passwd format. This patch, in concert with some security checking features in ypserv, help protect the master.passwd maps from non-privileged users. This patch changes the way YP lookups are done for the passwd maps: if the user doing the lookup is the superuser, an attempt will be made to do a yp_first on the master.passwd map. If this succeeds, the master.passwd map will be transfered instead of the standard passwd map. If it fails, the master.passwd transfer is aborted and the standard passwd map is transfered instead. This allows FreeBSD client machines to continue to work with standard NIS servers. There's a bit of a speed hit involved in doing this, but only for the superuser: for normal users, lookups should be about as fast as usual. In any event, you will need to rebuild libc, and any statically-linked binaries that use the getpwent routines for password authentication. A YP Makefile, an mknetid script and a pwupdate script (for use with yppasswdd) are provided. These may need to be edited befopre being committed. I'm not sure how you guys want to swing this, so I'll leave it to you to make the necessary mods. Here are the changes/features for each program: YPSERV: - Modified to use db database format instead of GNU dbm - All maps are read/write by root only. - Implemented ypxfr capability - With the -dns flag, the server will do DNS lookups for hosts not in the hosts.* maps -- changed to use actual resolver routines to avoid a possible looping condition (server queries itself) - Put in checks for each map transfer function to check the port from which YP requests originate -- only the superuser will be allowed to transfer the master.passwd maps and do ypxfrs. - Changed to background itself properly. If involked with -debug, server remains in the foreground and prints copious status messages. YPXFR: - Converted to use db database format instead of GNU dbm - Took out a lot of grungy debugging code. - Changed certain function names to avoid conflicts with RPC xdr_* functions already in libc. YPPUSH: - Mostly the same as ypxfr YP_MKDB: - Converted to use db format YPPASSWD: - Merged with /usr/bin/passwd -- passwd now has -y -s and -f flags: passwd -y user change YP password instead of local passwd -f user change full name (gecos) in passwd map passwd -s user change shell in passwd map yppasswd -> symlink to passwd (same as passwd -y) ypchfn -> symlink to passwd (same as passwd -f) ypchsh -> synlink to passwd (same as passwd -s) YPPASSWDD: - Hacked to support master.passwd format. If you invoke yppasswdd with no arguments, it will assume that /etc/master.passwd and /etc/passwd are the raw password files to use. The prefered invocation would be: yppasswdd -m /path/to/master.passwd -o /path/to/passwd -f -s The -s flag allows changes to the shell field in the password database. The -f flag allows changes to the gecos field. If you don't specify these flags, users will only be able to change their password. /path/to/master.passwd should be read/write by root only. If you plan to use FreeBSD to serve a standard NIS client (like a SunOS box), you'll also need to use the -u (unsecure) flag. yppasswdd normally strips passwords out of the standard /path/to/passwd file. This would break non-FreeBSD clients. Note that the /path/to/master.passwd file must exist even if you won't be serving FreeBSD clients. You do not need to create a map for it though. So, if you want to set up a FreeBSD machine to serve SunOS clients, do this: 1) yppasswdd -m /path/to/master.passwd -o /path/to/passwd -f -s -u 2) edit /var/yp/Makefile so that it doesn't rebuild master.passwd.byname and master.passwd.byuid by default - If you do use /etc/master.passwd as your raw password file, yppasswdd will rebuild the standard databases for you as pwd_mkdb does. - Runs /usr/libexec/pwupdate after a user changes a password, which is a script that contains the commands needed to update and push the password maps. /var/yp/Makefile: - Should rebuild all the necessary files -- will probably have to be edited for each system. Unfortunately, setting up NIS is not for the squeamish. There are a couple of man pages here and there, but somebody will have to worry about providing complete documentation: I don't do man pages. Jordan: I hope you can try this stuff on freefall/thud/watever to give it a shakedown. If there are any really nasty problems, I'll try my best to stomp them out. Share and enjoy! -Bill -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Bill Paul System Manager wpaul@ctr.columbia.edu Center for Telecommunications Research (212) 854-6020 Columbia University, New York City ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Møøse Illuminati: ignore it and be confused, or join it and be confusing! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~