From nobody@FreeBSD.org  Mon May  8 19:04:34 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 036AF16A400
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 May 2006 19:04:34 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C0FFE43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 May 2006 19:04:33 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k48J4XsU036470
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 8 May 2006 19:04:33 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k48J4XMl036469;
	Mon, 8 May 2006 19:04:33 GMT
	(envelope-from nobody)
Message-Id: <200605081904.k48J4XMl036469@www.freebsd.org>
Date: Mon, 8 May 2006 19:04:33 GMT
From: Hokan <hokan@me.umn.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /var/yp/securenets does not function in ypbind on 6.0 and 5.3
X-Send-Pr-Version: www-2.3

>Number:         96993
>Category:       bin
>Synopsis:       [nis] /var/yp/securenets does not function in ypbind on 6.0 and 5.3
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 08 19:10:18 GMT 2006
>Closed-Date:    Mon Jun 12 22:25:46 GMT 2006
>Last-Modified:  Mon Jun 12 22:25:46 GMT 2006
>Originator:     Hokan
>Release:        6.0 and 5.3
>Organization:
University of Minnesota
>Environment:
FreeBSD rapid.enet.umn.edu 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 20 12:01:56 CST 2006     root@rapid.enet.umn.edu:/usr/src/sys/i386/compile/RAPID  i386

FreeBSD temp1.enet.umn.edu 5.3-RELEASE FreeBSD 5.3-RELEASE #1: Tue May 24 14:49:50 CDT 2005     root@temp1.enet.umn.edu:/usr/src/sys/i386/compile/TEMP1  i386

>Description:
securenets file is ignored by ypserv.  It is (properly?) used by rpc.yppasswdd.

On these releases anyone on the net can query NIS maps.  In a mixed
environment, like ours, the passwd map includes passwords.  So anyone can
look at our encrypted passwords.
>How-To-Repeat:
Set up a NIS server with a restrictive securenets file.  Bind to that server
with a client not authorized with securenets.
>Fix:
Workaround:  use hosts.allow
>Release-Note:
>Audit-Trail:

From: Hokan <hokan@me.umn.edu>
To: mailto:  bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/96993: [nis] /var/yp/securenets does not function in ypbind on 6.0 and 5.3
Date: Mon, 12 Jun 2006 13:48:15 -0500

 This has been addressed in FreeBSD Security Advisory FreeBSD-SA-06:15.ypserv but
 further testing here has shown that the fix was not completely correct (although
 the security problem was stopped).
 
 We have been having performance concerns with ypserv and decided to try compiling
 without tcpwrappers support.  This should be accomplished by modifying the Makefile
 to remove -DTCP_WRAPPER from CFLAGS:
 
 -CFLAGS+= -DDB_CACHE -DTCP_WRAPPER -I.
 +CFLAGS+= -DDB_CACHE -I.
 
 However, this no longer will compile after the security patch is applied.
 
 The original version will compile and will use securenets.  (The original
 version will not use securenets if tcpwrappers is enabled.)

From: Maxim Konovalov <maxim@macomnet.ru>
To: Hokan <hokan@me.umn.edu>
Cc: bug-followup@freebsd.org
Subject: Re: bin/96993: [nis] /var/yp/securenets does not function in ypbind
 on 6.0 and 5.3
Date: Mon, 12 Jun 2006 23:42:57 +0400 (MSD)

 On Mon, 12 Jun 2006, 18:50-0000, Hokan wrote:
 
 >  This has been addressed in FreeBSD Security Advisory
 >  FreeBSD-SA-06:15.ypserv but further testing here has shown that the
 >  fix was not completely correct (although the security problem was
 >  stopped).
 >
 >  We have been having performance concerns with ypserv and decided to try compiling
 >  without tcpwrappers support.  This should be accomplished by modifying the Makefile
 >  to remove -DTCP_WRAPPER from CFLAGS:
 >
 >  -CFLAGS+= -DDB_CACHE -DTCP_WRAPPER -I.
 >  +CFLAGS+= -DDB_CACHE -I.
 >
 >  However, this no longer will compile after the security patch is applied.
 >
 >  The original version will compile and will use securenets.  (The original
 >  version will not use securenets if tcpwrappers is enabled.)
 
 It does compile on my HEAD and RELENG_6 systems.
 
 -- 
 Maxim Konovalov

From: Hokan <hokan@me.umn.edu>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/96993: [nis] /var/yp/securenets does not function in ypbind on 6.0 and 5.3
Date: Mon, 12 Jun 2006 16:12:52 -0500

 On Mon, Jun 12, 2006 at 11:42:57PM +0400, Maxim Konovalov wrote:
 > On Mon, 12 Jun 2006, 18:50-0000, Hokan wrote:
 > 
 > >  This has been addressed in FreeBSD Security Advisory
 > >  FreeBSD-SA-06:15.ypserv but further testing here has shown that the
 > >  fix was not completely correct (although the security problem was
 > >  stopped).
 > >
 > >  We have been having performance concerns with ypserv and decided to try compiling
 > >  without tcpwrappers support.  This should be accomplished by modifying the Makefile
 > >  to remove -DTCP_WRAPPER from CFLAGS:
 > >
 > >  -CFLAGS+= -DDB_CACHE -DTCP_WRAPPER -I.
 > >  +CFLAGS+= -DDB_CACHE -I.
 > >
 > >  However, this no longer will compile after the security patch is applied.
 > >
 > >  The original version will compile and will use securenets.  (The original
 > >  version will not use securenets if tcpwrappers is enabled.)
 > 
 > It does compile on my HEAD and RELENG_6 systems.
 
 The patch I had was apparently a beta version.  The official version
 does seem to work.
 
 Thank you for your patience.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Hokan <hokan@me.umn.edu>
Cc: bug-followup@freebsd.org
Subject: Re: bin/96993: [nis] /var/yp/securenets does not function in ypbind
 on 6.0 and 5.3
Date: Tue, 13 Jun 2006 01:19:48 +0400 (MSD)

 On Mon, 12 Jun 2006, 16:12-0500, Hokan wrote:
 
 > On Mon, Jun 12, 2006 at 11:42:57PM +0400, Maxim Konovalov wrote:
 > > On Mon, 12 Jun 2006, 18:50-0000, Hokan wrote:
 > >
 > > >  This has been addressed in FreeBSD Security Advisory
 > > >  FreeBSD-SA-06:15.ypserv but further testing here has shown that the
 > > >  fix was not completely correct (although the security problem was
 > > >  stopped).
 > > >
 > > >  We have been having performance concerns with ypserv and
 > > >  decided to try compiling without tcpwrappers support.  This
 > > >  should be accomplished by modifying the Makefile to remove
 > > >  -DTCP_WRAPPER from CFLAGS:
 > > >
 > > >  -CFLAGS+= -DDB_CACHE -DTCP_WRAPPER -I.
 > > >  +CFLAGS+= -DDB_CACHE -I.
 > > >
 > > >  However, this no longer will compile after the security patch
 > > >  is applied.
 > > >
 > > >  The original version will compile and will use securenets.
 > > >  (The original version will not use securenets if tcpwrappers is
 > > >  enabled.)
 > >
 > > It does compile on my HEAD and RELENG_6 systems.
 >
 > The patch I had was apparently a beta version.  The official version
 > does seem to work.
 
 Could you please clarify - can we close this PR or there are still
 unresolved issues?
 
 -- 
 Maxim Konovalov

From: Hokan <hokan@me.umn.edu>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@freebsd.org
Subject: Re: bin/96993: [nis] /var/yp/securenets does not function in ypbind on 6.0 and 5.3
Date: Mon, 12 Jun 2006 16:24:32 -0500

 On Tue, Jun 13, 2006 at 01:19:48AM +0400, Maxim Konovalov wrote:
 > 
 > Could you please clarify - can we close this PR or there are still
 > unresolved issues?
 
 This issue is resolved.  Please close the PR.
 
 Thank you.
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Mon Jun 12 22:24:46 UTC 2006 
State-Changed-Why:  
Submitter notes that the problem has been resolved. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96993 
>Unformatted:
