Re: bin/43900: ypbind(8) fails to handle multiple domains correcly

[Wolfgang Stukenbrock <Wolfgang.Stukenbrock%nagler-company.com@localhost>]

Hi,

if it is nessesary to use ypset in a particular setup for any reasons, I 
think it would make sence to have the ability to restrict this to a 
subset of the domains that are bound.
I do not use ypset for security reasons, but if anyone else does, I 
think that a setup where the "main"-Domain of the system (e.g. used for 
logins) cannot be modified by ypset, but for some or all other 
"additional" domains it may make sence.

Neverless this will be a very rare case at all.
And it would not be easy to specify this on the command line. You can 
only allow ypset for "known" domains at the time of start of ypbind or 
for all.

The important point is to support different sets of servers for 
different Domains via binding-files.
My remarks to ypset in the PR should only show the effects of ypset and 
that it is not a workaround for the problem because I need to set all 
domains via ypset in that case ...

best regards

W. Stukenbrock

David Holland wrote:

> The following reply was made to PR bin/43900; it has been noted by GNATS.
>
> From: David Holland <dholland-bugs%netbsd.org@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: 
> Subject: Re: bin/43900: ypbind(8) fails to handle multiple domains correcly
> Date: Mon, 23 May 2011 05:24:46 +0000
>
>  On Thu, Sep 23, 2010 at 01:45:00PM +0000, 
> Wolfgang.Stukenbrock%nagler-company.com@localhost wrote:
>   > The current implementation of ypbind will only handle multiple
>   > domains correctly if it runs in broadcast mode. Direct binding and
>   > ypset-mode may not handle different sets of ypservers for different
>   > domains correcly.  The cause for the problem is that in ypbind.c
>   > some state information is stored from global variables and not in
>   > domain specific data.  These global variables are correct for the
>   > default domain, but not for any additional domain.
>   > 
>   > The current implementation will use the
>   > /var/yp/bind/<defaultdomain>.ypservers for any domain ypbind is ask
>   > for.  And in the current implementation ypset will set the server
>   > for the specified domain but switches to "ypset-mode" for all
>   > domains. So all other domains not explitly bound by a separate
>   > ypset call will fail.
>  
>  Right, so this is definitely quite broken.
>  
>  However, I'm concerned about the semantics for ypbindmode. It seems to
>  me (particularly from the man page, but also from going over the code)
>  that the intent of the -ypset and -ypsetme options is to allow ypset
>  to be used for domains that we broadcast for. This is basically a
>  global permission setting and I don't think it makes sense to try to
>  track or configure it on a per-domain basis.
>  
>  Thus I think YPBIND_SETALL and YPBIND_SETLOCAL should be removed from
>  the modes enumeration and replaced with a pair of global flags. Then I
>  think the broadcast vs. direct mode can be handled separately for each
>  domain without getting into trouble.
>  
>  (I'm also wondering whether it makes sense, for domains in direct
>  mode, and if ypset is enabled, to allow ypset to pick one of the
>  servers that's in the configured servers list for that domain. I
>  suppose since it's not 1990 that it's a fairly pointless idea.)
>  
>  -- 
>  David A. Holland
>  dholland%netbsd.org@localhost
>  


--


Dr. Nagler & Company GmbH
Hauptstraße 9
92253 Schnaittenbach

Tel. +49 9622/71 97-42
Fax +49 9622/71 97-50

Wolfgang.Stukenbrock%nagler-company.com@localhost
http://www.nagler-company.com


Hauptsitz: Schnaittenbach
Handelregister: Amberg HRB
Gerichtsstand: Amberg
Steuernummer: 201/118/51825
USt.-ID-Nummer: DE 273143997
Geschäftsführer: Dr. Martin Nagler, Dr. Dr. Karl-Kuno Kunze