From owner-freebsd-security Tue Sep 12 7:28:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from theshell.com (arsenic.theshell.com [63.236.138.5]) by hub.freebsd.org (Postfix) with SMTP id A15B637B424 for ; Tue, 12 Sep 2000 07:28:32 -0700 (PDT) Received: (qmail 24152 invoked by uid 501); 12 Sep 2000 14:28:36 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Sep 2000 14:28:36 -0000 Date: Tue, 12 Sep 2000 07:28:36 -0700 (PDT) From: Peter Avalos To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords In-Reply-To: <200009121359.e8CDxoI69308@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > In message , "Peter > Avalos" > writes: > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > Snip from ypserv(8) manpage: > > > > To make up for this, the FreeBSD version of ypserv handles the > > master.passwd.byname and master.passwd.byuid maps in a special way. > > When > > the server receives a request to access either of these two maps, it > > will > > check the TCP port from which the request originated and return an > > error > > if the port number is greater than 1023. Since only the superuser is > > al- > > lowed to bind to TCP ports with values less than 1024, the server can > > use > > this test to determine whether or not the access request came from a > > privileged user. Any requests made by non-privileged users are > > therefore > > rejected. > > > > This sounds like a wonderful thing, but why only tcp? I don't want people to > > ypcat master.passwd and get all the encrypted passwords on my system. I > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > ypmatch pavalos master.passwd > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778: > > udp 88 > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port: > > udp 108 > > > > stun-port 1994/udp #cisco serial tunnel port > > > > So my question is: Is this a configuration error, or a 'feature' (bug)? > > I was unable to recreate your problem here at home (the only place I do > use YP). Tcpdump showed that appropriate ports were used when root or > non-root made issued the request. Are you sure you weren't root or > that ypmatch wasn't setuid root on the client system? > > The correct ports are being used. My issue is that a request from a non-root user (port >1023) gives out the encrypted password. According to the manpage, any request from tcp port >1023 will be denied for master.passwd.* maps. This seems like its logic is half-correct. My question is why is is only tcp since these yp requests are over udp? Regards, Peter Avalos TheShell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message