NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/43900: ypbind(8) fails to handle multiple domains correcly



Hi,

if it is nessesary to use ypset in a particular setup for any reasons, I think it would make sence to have the ability to restrict this to a subset of the domains that are bound. I do not use ypset for security reasons, but if anyone else does, I think that a setup where the "main"-Domain of the system (e.g. used for logins) cannot be modified by ypset, but for some or all other "additional" domains it may make sence.

Neverless this will be a very rare case at all.
And it would not be easy to specify this on the command line. You can only allow ypset for "known" domains at the time of start of ypbind or for all.

The important point is to support different sets of servers for different Domains via binding-files. My remarks to ypset in the PR should only show the effects of ypset and that it is not a workaround for the problem because I need to set all domains via ypset in that case ...

best regards

W. Stukenbrock

David Holland wrote:

The following reply was made to PR bin/43900; it has been noted by GNATS.

From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: Subject: Re: bin/43900: ypbind(8) fails to handle multiple domains correcly
Date: Mon, 23 May 2011 05:24:46 +0000

 On Thu, Sep 23, 2010 at 01:45:00PM +0000, 
Wolfgang.Stukenbrock%nagler-company.com@localhost wrote:
  > The current implementation of ypbind will only handle multiple
  > domains correctly if it runs in broadcast mode. Direct binding and
  > ypset-mode may not handle different sets of ypservers for different
  > domains correcly.  The cause for the problem is that in ypbind.c
  > some state information is stored from global variables and not in
  > domain specific data.  These global variables are correct for the
  > default domain, but not for any additional domain.
> > The current implementation will use the
  > /var/yp/bind/<defaultdomain>.ypservers for any domain ypbind is ask
  > for.  And in the current implementation ypset will set the server
  > for the specified domain but switches to "ypset-mode" for all
  > domains. So all other domains not explitly bound by a separate
  > ypset call will fail.
Right, so this is definitely quite broken. However, I'm concerned about the semantics for ypbindmode. It seems to
 me (particularly from the man page, but also from going over the code)
 that the intent of the -ypset and -ypsetme options is to allow ypset
 to be used for domains that we broadcast for. This is basically a
 global permission setting and I don't think it makes sense to try to
 track or configure it on a per-domain basis.
Thus I think YPBIND_SETALL and YPBIND_SETLOCAL should be removed from
 the modes enumeration and replaced with a pair of global flags. Then I
 think the broadcast vs. direct mode can be handled separately for each
 domain without getting into trouble.
(I'm also wondering whether it makes sense, for domains in direct
 mode, and if ypset is enabled, to allow ypset to pick one of the
 servers that's in the configured servers list for that domain. I
 suppose since it's not 1990 that it's a fairly pointless idea.)
-- David A. Holland
 dholland%netbsd.org@localhost




--


Dr. Nagler & Company GmbH
Hauptstraße 9
92253 Schnaittenbach

Tel. +49 9622/71 97-42
Fax +49 9622/71 97-50

Wolfgang.Stukenbrock%nagler-company.com@localhost
http://www.nagler-company.com


Hauptsitz: Schnaittenbach
Handelregister: Amberg HRB
Gerichtsstand: Amberg
Steuernummer: 201/118/51825
USt.-ID-Nummer: DE 273143997
Geschäftsführer: Dr. Martin Nagler, Dr. Dr. Karl-Kuno Kunze




Home | Main Index | Thread Index | Old Index