NetBSD/FreeBSD/SunOS 4 machines uses broadcast via portmapper
to find an yp server that serves the relevant domain. Since
the request is forwarded by the local portmapper on the
FreeBSD machine, the securenets mechanism is inactive, and
an positive acknowledge is sent back to the client via the
portmapper. The client may be bound to an yp server
that refuses to handle requests from the client.
Fix: Real Fix:
- Add code to portmap that performs the needed
securenets checking, without logging
if the request came from the local subnet.
- Don't use a privileged port when forwarding a query.
- Don't fork for each forward. It is expensive in
an environment with many yp clients present.
Use async rpc handling instead.
- Don't let the ypserv process fork for gethostbyname()
lookups. Use async dns lookups instead.
Quick Workaround (which may cause some irrelevant log messages):
Have a FreeBSD machine that runs a local ypserv due to
performance reasons. Configure ypserv to run without DNS forwarding,
since it is expensive (fork()). Configure it to only serve
local host, to avoid SunOS 4 machines needing DNS forwarding
binding to it. Observe that nearby NetBSD/FreeBSD/SunOS 4 machines
may bind to the FreeBSD machine, causing problems
(e.g. users not being able to login).
Bill Paul wrote:
> > - Don't let the ypserv process fork for gethostbyname()
> > lookups. Use async dns lookups instead.
> This has been on my mind for a while, but it's fallen victim to a
> severe lack of round tuits. One reason I've been putting it off is
> that doing this 'correctly' would probably mean bolting some of the
> BIND code directly onto ypserv. This would lead to yet another upgrade
> headache when new BIND versions are released.
Another option is to fork() once and have the parent and child communicate
over a pipe. This is a pretty common approach, especially for things like
WWW caches (eg: squid, harvest cached), MUD game drivers, etc.
FWIW, there's an async DNS resolver in the later versions of the irc
servers, but I seem to recall that it's been contaminated with GPL code.
we don't use suspeended for this state
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped