From owner-freebsd-security  Tue Sep 12  7:54:50 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id E0E9137B422
	for <freebsd-security@FreeBSD.ORG>; Tue, 12 Sep 2000 07:54:46 -0700 (PDT)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA21378;
	Tue, 12 Sep 2000 07:54:18 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda21376; Tue Sep 12 07:54:17 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA32272;
	Tue, 12 Sep 2000 07:54:17 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdY32270; Tue Sep 12 07:53:58 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.0/8.9.1) id e8CErva69663;
	Tue, 12 Sep 2000 07:53:57 -0700 (PDT)
Message-Id: <200009121453.e8CErva69663@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdl69653; Tue Sep 12 07:53:02 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.1-RELEASE
X-Sender: cy
To: Peter Avalos <pavalos@theshell.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ypserv giving out encrypted passwords 
In-reply-to: Your message of "Tue, 12 Sep 2000 07:28:36 PDT."
             <Pine.LNX.4.21.0009120724330.23278-100000@arsenic.theshell.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 12 Sep 2000 07:53:02 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.LNX.4.21.0009120724330.23278-100000@arsenic.theshell.co
m>, Pet
er Avalos writes:
> 
> 
> On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote:
> 
> > In message <AAEMIFFLKPKLAOJHJANHOEKECEAA.pavalos@theshell.com>, "Peter 
> > Avalos"
> > writes:
> > > I'm running ypserv as a slave and ypbind on a 4.1-S machine.
> > > 
> > > Snip from ypserv(8) manpage:
> > > 
> > >      To make up for this, the FreeBSD version of ypserv handles the
> > >      master.passwd.byname and master.passwd.byuid maps in a special way.
> > > When
> > >      the server receives a request to access either of these two maps, it
> > > will
> > >      check the TCP port from which the request originated and return an
> > > error
> > >      if the port number is greater than 1023.  Since only the superuser i
> s
> > > al-
> > >      lowed to bind to TCP ports with values less than 1024, the server ca
> n
> > > use
> > >      this test to determine whether or not the access request came from a
> > >      privileged user.  Any requests made by non-privileged users are
> > > therefore
> > >      rejected.
> > > 
> > > This sounds like a wonderful thing, but why only tcp? I don't want people
>  to
> > > ypcat master.passwd and get all the encrypted passwords on my system. I
> > > verified that a ypmatch uses udp on a port >1023 witch tcpdump:
> > > 
> > > ypmatch pavalos master.passwd
> > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash
> > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778
> :
> > > udp 88
> > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port
> :
> > > udp 108
> > > 
> > > stun-port       1994/udp   #cisco serial tunnel port
> > > 
> > > So my question is: Is this a configuration error, or a 'feature' (bug)?
> > 
> > I was unable to recreate your problem here at home (the only place I do 
> > use YP).  Tcpdump showed that appropriate ports were used when root or 
> > non-root made issued the request.  Are you sure you weren't root or 
> > that ypmatch wasn't setuid root on the client system?
> > 
> > 
> 
> The correct ports are being used. My issue is that a request from a
> non-root user (port >1023) gives out the encrypted password. According to
> the manpage, any request from tcp port >1023 will be denied for
> master.passwd.* maps. This seems like its logic is half-correct. My
> question is why is is only tcp since these yp requests are over udp?

cwtest$ ypmatch foobar master.passwd.byname
ypmatch: can't match key foobar in map master.passwd.byname. reason: YP 
server error
cwtest$ 

07:42:36.590581 cwtest.1308 > cwsys.1021:  udp 92
07:42:36.615668 cwsys.1021 > cwtest.1308:  udp 32

cwtest# ypmatch foobar master.passwd.byname
foobar:$1$foobar's_password:62361:62361::0:0:Foobar 
User,,,:/home/foobar:/bin/bash
cwtest# 

07:43:06.646153 cwtest.657 > cwsys.1021:  udp 92
07:43:06.647523 cwsys.1021 > cwtest.657:  udp 128

Foobar was substituted for the real username to protect the innocent in 
my example above, e.g. this is real output except for my editing out 
the real username.

From what I can tell, it works as documented on a 4.1 system.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message