NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/43900: ypbind(8) fails to handle multiple domains correcly



The following reply was made to PR bin/43900; it has been noted by GNATS.

From: Wolfgang Stukenbrock <Wolfgang.Stukenbrock%nagler-company.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: dholland%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
netbsd-bugs%NetBSD.org@localhost,
        Wolfgang.Stukenbrock%nagler-company.com@localhost
Subject: Re: bin/43900: ypbind(8) fails to handle multiple domains correcly
Date: Mon, 23 May 2011 08:44:54 +0200

 Hi,
 
 if it is nessesary to use ypset in a particular setup for any reasons, I 
 think it would make sence to have the ability to restrict this to a 
 subset of the domains that are bound.
 I do not use ypset for security reasons, but if anyone else does, I 
 think that a setup where the "main"-Domain of the system (e.g. used for 
 logins) cannot be modified by ypset, but for some or all other 
 "additional" domains it may make sence.
 
 Neverless this will be a very rare case at all.
 And it would not be easy to specify this on the command line. You can 
 only allow ypset for "known" domains at the time of start of ypbind or 
 for all.
 
 The important point is to support different sets of servers for 
 different Domains via binding-files.
 My remarks to ypset in the PR should only show the effects of ypset and 
 that it is not a workaround for the problem because I need to set all 
 domains via ypset in that case ...
 
 best regards
 
 W. Stukenbrock
 
 David Holland wrote:
 
 > The following reply was made to PR bin/43900; it has been noted by GNATS.
 > 
 > From: David Holland <dholland-bugs%netbsd.org@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: 
 > Subject: Re: bin/43900: ypbind(8) fails to handle multiple domains correcly
 > Date: Mon, 23 May 2011 05:24:46 +0000
 > 
 >  On Thu, Sep 23, 2010 at 01:45:00PM +0000, 
 > Wolfgang.Stukenbrock%nagler-company.com@localhost wrote:
 >   > The current implementation of ypbind will only handle multiple
 >   > domains correctly if it runs in broadcast mode. Direct binding and
 >   > ypset-mode may not handle different sets of ypservers for different
 >   > domains correcly.  The cause for the problem is that in ypbind.c
 >   > some state information is stored from global variables and not in
 >   > domain specific data.  These global variables are correct for the
 >   > default domain, but not for any additional domain.
 >   > 
 >   > The current implementation will use the
 >   > /var/yp/bind/<defaultdomain>.ypservers for any domain ypbind is ask
 >   > for.  And in the current implementation ypset will set the server
 >   > for the specified domain but switches to "ypset-mode" for all
 >   > domains. So all other domains not explitly bound by a separate
 >   > ypset call will fail.
 >  
 >  Right, so this is definitely quite broken.
 >  
 >  However, I'm concerned about the semantics for ypbindmode. It seems to
 >  me (particularly from the man page, but also from going over the code)
 >  that the intent of the -ypset and -ypsetme options is to allow ypset
 >  to be used for domains that we broadcast for. This is basically a
 >  global permission setting and I don't think it makes sense to try to
 >  track or configure it on a per-domain basis.
 >  
 >  Thus I think YPBIND_SETALL and YPBIND_SETLOCAL should be removed from
 >  the modes enumeration and replaced with a pair of global flags. Then I
 >  think the broadcast vs. direct mode can be handled separately for each
 >  domain without getting into trouble.
 >  
 >  (I'm also wondering whether it makes sense, for domains in direct
 >  mode, and if ypset is enabled, to allow ypset to pick one of the
 >  servers that's in the configured servers list for that domain. I
 >  suppose since it's not 1990 that it's a fairly pointless idea.)
 >  
 >  -- 
 >  David A. Holland
 >  dholland%netbsd.org@localhost
 >  
 > 
 > 
 > 
 
 
 -- 
 
 
 Dr. Nagler & Company GmbH
 Hauptstraße 9
 92253 Schnaittenbach
 
 Tel. +49 9622/71 97-42
 Fax +49 9622/71 97-50
 
 Wolfgang.Stukenbrock%nagler-company.com@localhost
 http://www.nagler-company.com
 
 
 Hauptsitz: Schnaittenbach
 Handelregister: Amberg HRB
 Gerichtsstand: Amberg
 Steuernummer: 201/118/51825
 USt.-ID-Nummer: DE 273143997
 Geschäftsführer: Dr. Martin Nagler, Dr. Dr. Karl-Kuno Kunze
 
 


Home | Main Index | Thread Index | Old Index