Bug 2090 - [patch] [nis] clients may bind to FreeBSD ypserv refusing to serve them
Summary: [patch] [nis] clients may bind to FreeBSD ypserv refusing to serve them
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 3.0-CURRENT
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 1996-11-23 04:40 UTC by Tor Egge
Modified: 2017-12-31 22:28 UTC (History)
0 users

See Also:


Attachments
file.diff (3.58 KB, patch)
1996-11-23 04:40 UTC, Tor Egge
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tor Egge 1996-11-23 04:40:09 UTC
	NetBSD/FreeBSD/SunOS 4 machines uses broadcast via portmapper
	to find an yp server that serves the relevant domain. Since
	the request is forwarded by the local portmapper on the 
	FreeBSD machine, the securenets mechanism is inactive, and
	an positive acknowledge is sent back to the client via the
	portmapper. The client may be bound to an yp server
	that refuses to handle requests from the client.

Fix: Real Fix:  

		- Add code to portmap that performs the needed 
		  securenets checking, without logging
		  if the request came from the local subnet.

		- Don't use a privileged port when forwarding a query.

		- Don't fork for each forward. It is expensive in
		  an environment with many yp clients present.
		  Use async rpc handling instead.
	      
		- Don't let the ypserv process fork for gethostbyname()
	          lookups. Use async dns lookups instead.
        
	Quick Workaround (which may cause some irrelevant log messages):
How-To-Repeat: 
	Have a FreeBSD machine that runs a local ypserv due to 
	performance reasons. Configure ypserv to run without DNS forwarding, 
	since it is expensive (fork()).	Configure it to only serve 
	local host, to avoid SunOS 4 machines needing DNS forwarding 
	binding to it. Observe that nearby NetBSD/FreeBSD/SunOS 4 machines 
	may bind to the FreeBSD machine, causing problems 
	(e.g. users not being able to login).
Comment 1 Peter Wemm 1996-11-23 06:22:13 UTC
Bill Paul wrote:
> > 		- Don't let the ypserv process fork for gethostbyname()
> > 	          lookups. Use async dns lookups instead.
> 
> This has been on my mind for a while, but it's fallen victim to a
> severe lack of round tuits. One reason I've been putting it off is
> that doing this 'correctly' would probably mean bolting some of the
> BIND code directly onto ypserv. This would lead to yet another upgrade 
> headache when new BIND versions are released.

Another option is to fork() once and have the parent and child communicate 
over a pipe.  This is a pretty common approach, especially for things like 
WWW caches (eg: squid, harvest cached), MUD game drivers, etc.

FWIW, there's an async DNS resolver in the later versions of the irc 
servers, but I seem to recall that it's been contaminated with GPL code.

Cheers,
-Peter
Comment 2 Poul-Henning Kamp freebsd_committer 1998-05-25 09:00:12 UTC
State Changed
From-To: open->suspended

Awaiting committer 
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2012-05-07 05:03:57 UTC
State Changed
From-To: suspended->open

we don't use suspeended for this state
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:18 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped