This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Use reserved port only when required for NIS look-ups

From: Kalle Olavi Niemitalo <kon at iki dot fi>
To: "Carlos O'Donell" <carlos at systemhalted dot org>
Cc: libc-alpha at sourceware dot org, Honza Horak <hhorak at redhat dot com>, Thorsten Kukuk <kukuk at suse dot de>
Date: Sun, 12 Aug 2012 12:16:17 +0300
Subject: Re: Use reserved port only when required for NIS look-ups
Keywords: client,server,port,maps,map,daemon,ypserv,secure
References: <50250B29.1000405@redhat.com><CADZpyixCE3ntDpm5MnM1hS7WTu0-OnAUfLdDjXeHjHnAcuR1Kg@mail.gmail.com>

"Carlos O'Donell" <carlos@systemhalted.org> writes:

> I've never seen a "secured map," out of curiosity how does someone set one up?

In /etc/ypserv.conf, you define a map like so:

# Host                       : Domain  : Map              : Security
*                            : *       : shadow.byname    : port

Then, if an unprivileged client tries to read anything from
shadow.byname, the ypserv daemon will refuse the request because
it did not come from a privileged port.  AFAIK, this is intended
to prevent non-root users from reading the password hashes of
other users and cracking them offline.  Alternatively, if the
same map contains both public and private fields, ypserv can be
configured to always return the public fields but substitute
e.g. "x" for the password.

These privileged-port checks seem unlikely to help against an
attacker who connects her own computer to the network.

> Whenever you use a non-privileged port there is the risk of the daemon
> getting killed and a rogue daemon using the port to talk to the client
> and pretend to be authoritative.

That risk does not apply, because the proposed change does not
affect the _destination_ port of the requests sent by the client.
It makes the client send the requests from unprivileged _source_
ports unless the server is expected to restrict access by port.

> This worries me. I don't like adding configuration files if we don't have to.

Perhaps an existing configuration file could be used.
In the client machines, there may already be an yp.conf file,
used by the ypbind daemon, which tells other client processes how
to contact the NIS server.  Perhaps the list of secured maps could
be added to yp.conf and then passed to the client processes via
RPC, like the NIS server address.

It would be good to know if HP made their implementation of
"Reduced Usage of Reserved Ports" configurable in any way,
and whether the change caused any problems to their customers.

> Why doesn't the client know which maps are marked secure? Didn't we
> just configure the secure maps?

The maps were configured at the server.  I guess the NIS protocol
does not specify a way for the server to tell the client which
maps are secure.  The client can ask the server to list the names
of all maps but the response to that seems to have no place for
security information.

Follow-Ups:
- Re: Use reserved port only when required for NIS look-ups
  - From: Jeff Law

References:
- Use reserved port only when required for NIS look-ups
  - From: Honza Horak
- Re: Use reserved port only when required for NIS look-ups
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]