too many hosts in access=... options
2007-12-25 7:12:00
I need to put about 80 hosts in /etc/exports' access option. Configuration
is SUN 4/370 running SUN OS 4.0.3 libc_resolv.so/named. YP seems to
be the only solution to this. However, I was concern about anonymous host
binding to my YP server and get the password file.
Thanks to all that replied to my query:
Don Hooper <hoop@khonshu.colorado.edu>
mcs@mayo.edu (Mahlon Stacy)
trinkle@cs.purdue.edu (Daniel Trinkle)
"Matt Crawford" <matt@oddjob.uchicago.edu>
Mark Prior <mrp@ucs.adelaide.edu.au>
mp@allegra.tempo.nj.att.com (Mark Plotnick)
Randy Holt <randy@everest.den.mmc.com>
There is a limit to how many bytes can be in acess=... and I hit the limit.
However, Netgroup file IS NOT being used if YP is not running. The answer is
therefore I have to either leave the access open to anyone or have to run YP.
As pointed out by many netlanders that I can run YP and limit the
database to only 'netgroups' and 'hosts'. Daniel Trinkle of Purdue
was kind enough to give me a patch so you can limit clients binding to
your YP server.
For people who are running named and libc_resolv.so: Host name in the
access list is case-sensitive, it has to spell out exactly the way
your name server returns. (sigh!)
William Ang
==================== PATCH for ypserve to limit binding clients================
==================== From: trinkle@cs.purdue.edu ================
Here is the patch (includes a new file), a man page modification
is missing (:-).
You must create a file called /var/yp/securenets with entries of
the form
netmask netaddr
Both netmask and netaddr are dotted quads. The code applies the
mask to the address of the YP client request and compares it to the
netaddr, granting access if they match. The code checks to make sure
that both the mask and addr exist on each line, and also checks to
make sure the netmask covers what is specified in the netaddr (i.e.
255.255.0.0 128.10.2.0 would cause an error). If no
/var/yp/securenets file exists, a LOG_INFO warning is syslog'ed and
ypserv continues. Other errors cause ypserv to abort after logging a
LOG_ERR message. The code for get_secure_nets() is pretty easy to
follow.
The code has been tested, but not extensively. I would recommend
you try it for a while. You may include it in your summary, assuming
the author" comment remains in the code.
Daniel Trinkle trinkle@cs.purdue.edu
Dept. of Computer Sciences {backbone}!purdue!trinkle
Purdue University 317-494-7844
West Lafayette, IN 47907
============================== ypserv.patch ==============================
===================================================================
RCS file: RCS/ypserv.c,v
retrieving revision 1.1
diff -c -r1.1 ypserv.c
*** /tmp/,RCSt1017343 Wed Apr 4 09:03:54 1990
--- ypserv.c Tue Apr 3 13:46:50 1990
***************
*** 121,127
pmap_unset(YPPROG, YPVERS);
pmap_unset(YPPROG, YPOLDVERS);
ypget_command_line_args(argc, argv);
!
if (silent) {
pid = fork();
--- 121,127 -----
pmap_unset(YPPROG, YPVERS);
pmap_unset(YPPROG, YPOLDVERS);
ypget_command_line_args(argc, argv);
! get_secure_nets();
if (silent) {
pid = fork();
===================================================================
RCS file: RCS/ypserv_map.c,v
retrieving revision 1.1
diff -c -r1.1 ypserv_map.c
*** /tmp/,RCSt1017368 Wed Apr 4 09:03:59 1990
--- ypserv_map.c Tue Apr 3 14:51:31 1990
***************
*** 232,237
return (TRUE);
}
caller = svc_getcaller(transp);
if ((caller->sin_family == AF_INET) &&
(ntohs(caller->sin_port)) < IPPORT_RESERVED) {
return (TRUE);
--- 232,239 -----
return (TRUE);
}
caller = svc_getcaller(transp);
+ if (!(check_secure_net(caller)))
+ return(FALSE);
if ((caller->sin_family == AF_INET) &&
(ntohs(caller->sin_port)) < IPPORT_RESERVED) {
return (TRUE);
===================================================================
*** ypserv_net_secure.c Wed Apr 4 09:38:01 1990
--- ypserv_net_secure.c Wed Apr 4 09:01:59 1990
***************
*** 0
--- 1,78 -----
+ /*
+ * Author:
+ * Richard Watterson
+ * Purdue University
+ * Department of Computer Sciences
+ * April 3, 1990
+ */
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #define ACCFILE "/var/yp/securenets"
+ struct seclist {
+ u_long mask;
+ u_long net;
+ struct seclist *next;
+ };
+ static struct seclist *slist ;
+ get_secure_nets()
+ {
+ FILE *fp;
+ char strung[30],nmask[16],net[16];
+ unsigned long maskin, netin;
+ struct seclist *tmp1,*tmp2;
+ int first = 0;
+ if (fp = fopen(ACCFILE,"r")) {
+ tmp1 = (struct seclist *) malloc(sizeof (struct seclist));
+ slist = tmp1;
+ while (fgets(strung,30,fp)) {
+ if (strung[strlen(strung) - 1] != '\n'){
+ syslog(LOG_ERR|LOG_DAEMON,
+ "ypserv: /var/yp/securenets line too long\n");
+ exit(1);
+ }
+ if (sscanf(strung,"%s%s",nmask,net) < 2) {
+ syslog(LOG_ERR|LOG_DAEMON,
+ "ypserv: /var/yp/securenets missing fields\n");
+ exit(1);
+ }
+ maskin = inet_addr(nmask);
+ netin = inet_addr(net);
+ if ((maskin & netin) != netin) {
+ syslog(LOG_ERR|LOG_DAEMON,
+ "ypserv: /var/yp/securenets netmask does not match network");
+ exit(1);
+ }
+ tmp1->mask = maskin;
+ tmp1->net = netin;
+ tmp1->next = (struct seclist *) malloc(sizeof (struct seclist));
+ tmp2 = tmp1;
+ tmp1 = tmp1->next;
+ }
+ tmp2->next = NULL;
+
+ }
+ else
+ syslog(LOG_INFO|LOG_DAEMON,"ypserv: no /var/yp/securenets file\n");
+ }
+
+ check_secure_net(caller)
+ struct sockaddr_in *caller;
+ {
+
+ struct seclist *tmp;
+ tmp = slist ;
+ while (tmp != NULL) {
+ if ((caller->sin_addr.s_addr & tmp->mask) == tmp->net){
+ return(1);
+ }
+ tmp = tmp->next;
+ }
+ syslog(LOG_ERR|LOG_DAEMON,"ypserv: access denied for %s\n",
+ inet_ntoa(caller->sin_addr));
+ return(0);
+ }
============================== end ypserv.patch ==============================
Comments
Got something to say?
You must be logged in to post a comment.
