NAME
ypserv.conf - configuration file for ypserv and rpc.ypxfrd
DESCRIPTION
ypserv.conf
is an ASCII file which contains some options for ypserv. It also
contains a list of rules for special host and map access for ypserv
and rpc.ypxfrd. This file will be read by ypserv and rpc.ypxfrd at
startup, or when receiving a SIGHUP signal.
There is one entry per line. If the line is a option line,
the format is:
option: <argument>
The line for an access rule has the format:
host:domain:map:security
All rules are tried one by one. If no match is found, access to a
map is allowed.
Following
options
exist:
R files: 30
This option specifies, how many database files should be cached by
R ypserv .
If
0
is specified, caching is disabled. Decreasing this number is only
possible, if
ypserv
is restarted.
R trusted_master: server
When a map is pushed to a slave, the slave normally only accepts
updates to existing maps, and then only from the real master.
If this option is set on a slave server, new (not yet existing)
maps from the host
server
will be accepted. The default is that
no trusted master is set and new maps will not be accepted.
Example:
trusted_master: ypmaster.example.org
R slp: [yes|<no>|domain]
If this option is enabled and SLP support compiled in, the NIS server
registers itself on a SLP server. If the variable is set to
R domain ,
an attribute
domain
with a comma seperated list of supported domainnames is set. Else
this attribute will not be set.
R xfr_check_port: [<yes>|no]
With this option enabled, the NIS master server has to run on a
priviliged port (< 1024). The default is "yes" (enabled).
The field descriptions for the access rule lines are:
host
IP address. Wildcards are allowed.
Examples:
131.234. = 131.234.0.0/255.255.0.0
131.234.214.0/255.255.254.0
domain
specifies the domain, for which this rule should be applied. An
asterix as wildcard is allowed.
map
name of the map, or asterisk for all maps.
security
one of none, port, deny:
none
always allow access.
port
allow access if the client request originates from a priviliged
port (< 1024). Otherwise do not allow access.
deny
deny access to this map.
You can add
/mangle:field
to the
none
or
port
security keywords. The :field part is optional. It will replace field number
field
(the default is 2, the password field of the passwd and shadow maps)
with the value
x
for client requests from non-priviliged ports (>= 1024) for the
port
security keyword and in all cases for the
none
security keyword.
FILES
/etc/ypserv.conf
SEE ALSO
WARNINGS
The access rules for special maps are no real improvement in security,
but they make the life a little bit harder for a potential hacker.
BUGS
Solaris clients don't use privileged ports. All security options
that depend on privileged ports cause big problems on Solaris clients.
AUTHOR
Thorsten Kukuk <kukuk@suse.de>
ČLÁNKY DO MAILU