YP, Netgroups, And Fixing Insecure hosts.equiv

[Doug Moran]

scs at lokkur.uucp (Steve Simmons):
>YP has a db called netgroups.  It allows you to define arbitrary
>collections of users, machines, and domains (domain in this case means YP
>domain, not Internet domain).  You define a name followed by a list of
>triplets of user, host, domain....

Minor notes: under 3.x (presumably also in 4.0), the order to the triplets
is "(host,user,domain)", not "(user,host,domain)". Under 3.x, the "any"
character is null (the reverse of the above stmt). Thus, in 3.x the above
example "(*,host1,domain)" should have been "(host1,,domain)".  Various
usages of netgroups ignore certain fields, eg hosts.equiv ignores the user
field, so the triplet "(host1,*,domain)" would have the same effect as
"(host1,foo,domain)" and "(host1,,domain)".

WARNING:

A system administrator reading the netgroup(5) manual page would be
inclined to believe that the triplet "(,,mydomain)" defines a groups of
all the hosts in YP domain "mydomain".  However, uses of netgroup in
/etc/exports and /etc/hosts.equiv (and elsewhere?) ignore the domain field
so that this triple is equivalent to "(,,)", ie universal permission.
(Aside: even if this field was not ignored, defining a netgroup simply
using your domain is not a good idea because domain names tend to be easy
to guess and are trivial to spoof).

The probable reason that the YP domain name is not used is that is not
part of the information sent by the remote host to the server (e.g., in
the rlogin preamble or in the authunix_param field of an nfsmount
request).  Since using this field would require the server to derive the
client's domain name (even if that were possible in all cases), it would
add little or nothing to the verification process.

An early reference to this problem, with a somewhat different diagnosis,
can be found in a message from Matt Landau (mlandau at diamond.bbn.com) in
Sun-Spots v5n5 (20 March 87).

Douglas B. Moran
AI Center, SRI International
moran at ai.sri.com