Bug 2090

Summary:

[patch] [nis] clients may bind to FreeBSD ypserv refusing to serve them

Product:

Base System

Reporter:

Tor Egge <Tor.Egge>

Component:

bin

Assignee:

freebsd-bugs (Nobody) <bugs>

Status:

Closed Overcome By Events

Severity:

Affects Only Me

CC:

delphij

Priority:

Normal

Keywords:

patch

Version:

3.0-CURRENT

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none

Description Tor Egge 1996-11-23 04:40:09 UTC

	NetBSD/FreeBSD/SunOS 4 machines uses broadcast via portmapper
	to find an yp server that serves the relevant domain. Since
	the request is forwarded by the local portmapper on the 
	FreeBSD machine, the securenets mechanism is inactive, and
	an positive acknowledge is sent back to the client via the
	portmapper. The client may be bound to an yp server
	that refuses to handle requests from the client.

Fix: Real Fix:  

		- Add code to portmap that performs the needed 
		  securenets checking, without logging
		  if the request came from the local subnet.

		- Don't use a privileged port when forwarding a query.

		- Don't fork for each forward. It is expensive in
		  an environment with many yp clients present.
		  Use async rpc handling instead.
	      
		- Don't let the ypserv process fork for gethostbyname()
	          lookups. Use async dns lookups instead.
        
	Quick Workaround (which may cause some irrelevant log messages):
How-To-Repeat: 
	Have a FreeBSD machine that runs a local ypserv due to 
	performance reasons. Configure ypserv to run without DNS forwarding, 
	since it is expensive (fork()).	Configure it to only serve 
	local host, to avoid SunOS 4 machines needing DNS forwarding 
	binding to it. Observe that nearby NetBSD/FreeBSD/SunOS 4 machines 
	may bind to the FreeBSD machine, causing problems 
	(e.g. users not being able to login).

Comment 1 Peter Wemm 1996-11-23 06:22:13 UTC

Bill Paul wrote:
> > 		- Don't let the ypserv process fork for gethostbyname()
> > 	          lookups. Use async dns lookups instead.
> 
> This has been on my mind for a while, but it's fallen victim to a
> severe lack of round tuits. One reason I've been putting it off is
> that doing this 'correctly' would probably mean bolting some of the
> BIND code directly onto ypserv. This would lead to yet another upgrade 
> headache when new BIND versions are released.

Another option is to fork() once and have the parent and child communicate 
over a pipe.  This is a pretty common approach, especially for things like 
WWW caches (eg: squid, harvest cached), MUD game drivers, etc.

FWIW, there's an async DNS resolver in the later versions of the irc 
servers, but I seem to recall that it's been contaminated with GPL code.

Cheers,
-Peter

Comment 2 Poul-Henning Kamp freebsd_committer

1998-05-25 09:00:12 UTC

State Changed
From-To: open->suspended

Awaiting committer

Comment 3 Eitan Adler freebsd_committer

2012-05-07 05:03:57 UTC

State Changed
From-To: suspended->open

we don't use suspeended for this state

Comment 4 Eitan Adler freebsd_committer

2017-12-31 07:59:18 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 5 Graham Perrin freebsd_committer

2022-10-17 12:37:13 UTC

Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>

Comment 6 Xin LI freebsd_committer

2022-12-04 21:07:26 UTC

portmap(8) was replaced by rpcbind(8) in 2001.