Subject: Re: changed files: 'src/usr.sbin/yp/ypbind ypbind.c'
To: None <deraadt@sun-lamp.cs.berkeley.edu, glass@sun-lamp.cs.berkeley.edu>
From: Theo Deraadt <deraadt>
List: source-changes
Date: 11/15/1993 00:29:30
> > ypset should only be permitted from a reserved port.
> > from Tor Egge <tegge@pvv.unit.no>
> there should be a ypbind command line switch to turn this off. As you
> know, non-pure unix machines, and pcs don't follow this rule. See
> the '-n' switch to mountd.
no, this is a good fix.
this change only affects the the "ypset" command (a command which
arguably should not exist, but does.. thanks, sun :-)
without this fix, anyone anywhere would be able to ypset your ypbind,
causing it to bind to a server anywhere in the world. this is not-good,
and i'm kinda ashamed that this hole existed!
I'm now thinking there might be other similar security holes in ypbind..
------------------------------------------------------------------------------