From owner-freebsd-security Tue Sep 12 7: 1:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6198B37B422 for ; Tue, 12 Sep 2000 07:01:33 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21101; Tue, 12 Sep 2000 07:00:57 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda21099; Tue Sep 12 07:00:42 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA31796; Tue, 12 Sep 2000 07:00:42 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdK31773; Tue Sep 12 06:59:51 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8CDxoI69308; Tue, 12 Sep 2000 06:59:50 -0700 (PDT) Message-Id: <200009121359.e8CDxoI69308@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdv69302; Tue Sep 12 06:59:24 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: "Peter Avalos" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In-reply-to: Your message of "Mon, 11 Sep 2000 22:35:09 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Sep 2000 06:59:23 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Peter Avalos" writes: > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > Snip from ypserv(8) manpage: > > To make up for this, the FreeBSD version of ypserv handles the > master.passwd.byname and master.passwd.byuid maps in a special way. > When > the server receives a request to access either of these two maps, it > will > check the TCP port from which the request originated and return an > error > if the port number is greater than 1023. Since only the superuser is > al- > lowed to bind to TCP ports with values less than 1024, the server can > use > this test to determine whether or not the access request came from a > privileged user. Any requests made by non-privileged users are > therefore > rejected. > > This sounds like a wonderful thing, but why only tcp? I don't want people to > ypcat master.passwd and get all the encrypted passwords on my system. I > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > ypmatch pavalos master.passwd > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778: > udp 88 > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port: > udp 108 > > stun-port 1994/udp #cisco serial tunnel port > > So my question is: Is this a configuration error, or a 'feature' (bug)? I was unable to recreate your problem here at home (the only place I do use YP). Tcpdump showed that appropriate ports were used when root or non-root made issued the request. Are you sure you weren't root or that ypmatch wasn't setuid root on the client system? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message