NAME¶
ypserv.conf - configuration file for ypserv and rpc.ypxfrd
DESCRIPTION¶
ypserv.conf is an ASCII file which contains some options for ypserv. It
also contains a list of rules for special host and map access for ypserv and
rpc.ypxfrd. This file will be read by ypserv and rpc.ypxfrd at startup, or
when receiving a SIGHUP signal.
There is one entry per line. If the line is a option line, the format is:
- option: <argument>
The line for an access rule has the format:
- host:domain:map:security
All rules are tried one by one. If no match is found, access to a map is
allowed.
Following
options exist:
- files: 30
- This option specifies, how many database files should be
cached by ypserv. If 0 is specified, caching is disabled.
Decreasing this number is only possible, if ypserv is
restarted.
- trusted_master: server
- When a map is pushed to a slave, the slave normally only
accepts updates to existing maps, and then only from the real master. If
this option is set on a slave server, new (not yet existing) maps from the
host server will be accepted. The default is that no trusted master
is set and new maps will not be accepted.
Example:
trusted_master: ypmaster.example.org
- slp: [yes|<no>|domain]
- If this option is enabled and SLP support compiled in, the
NIS server registers itself on a SLP server. If the variable is set to
domain, an attribute domain with a comma seperated list of
supported domainnames is set. Else this attribute will not be set.
- xfr_check_port: [<yes>|no]
- With this option enabled, the NIS master server has to run
on a priviliged port (< 1024). The default is "yes"
(enabled).
The field descriptions for the access rule lines are:
- host
- IP address. Wildcards are allowed.
Examples:
131.234. = 131.234.0.0/255.255.0.0
131.234.214.0/255.255.254.0
- domain
- specifies the domain, for which this rule should be
applied. An asterix as wildcard is allowed.
- map
- name of the map, or asterisk for all maps.
- security
- one of none, port, deny:
- none
- always allow access.
- port
- allow access if the client request originates from a
priviliged port (< 1024). Otherwise do not allow access.
- deny
- deny access to this map.
You can add
/mangle:field to the
none or
port security
keywords. The :field part is optional. It will replace field number
field (the default is 2, the password field of the passwd and shadow
maps) with the value
x for client requests from non-priviliged ports
(>= 1024) for the
port security keyword and in all cases for the
none security keyword.
FILES¶
/etc/ypserv.conf
SEE ALSO¶
ypserv(8),
rpc.ypxfrd(8)
WARNINGS¶
The access rules for special maps are no real improvement in security, but they
make the life a little bit harder for a potential hacker.
BUGS¶
Solaris clients don't use privileged ports. All security options that depend on
privileged ports cause big problems on Solaris clients.
AUTHOR¶
Thorsten Kukuk <kukuk@suse.de>