ypserv -- Inoperative access controls in ypserv

ID 0AC1AACE-F7B9-11DA-9156-000E0C2E438A
Type freebsd
Reporter FreeBSD
Modified 2006-05-31T00:00:00


Problem Description There are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertantly disabled. Impact ypserv(8) will not load or process any of the networks or hosts specified in the /var/yp/securenets file, rendering those access controls ineffective. Workaround One possible workaround is to use /etc/hosts.allow for access control, as shown by examples in that file. Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) to limit access to RPC functions from untrusted systems or networks, but due to the complexities of RPC, it might be difficult to create a set of firewall rules which accomplish this without blocking all access to the machine in question.