ypserv.conf - configuration file for ypserv and rpc.ypxfrd
is an ASCII file which contains some options for ypserv. It
also contains a list of rules for special host and map access for ypserv and
rpc.ypxfrd. This file will be read by ypserv and rpc.ypxfrd at startup, or
when receiving a SIGHUP signal.
There is one entry per line. If the line is a option line, the format is:
- option: <argument>
The line for an access rule has the format:
All rules are tried one by one. If no match is found, access to a map is
- files: 30
- This option specifies, how many database files should be
cached by ypserv. If 0 is specified, caching is disabled.
Decreasing this number is only possible, if ypserv is
- trusted_master: server
- When a map is pushed to a slave, the slave normally only
accepts updates to existing maps, and then only from the real master. If
this option is set on a slave server, new (not yet existing) maps from the
host server will be accepted. The default is that no trusted master
is set and new maps will not be accepted.
- slp: [yes|<no>|domain]
- If this option is enabled and SLP support compiled in, the
NIS server registers itself on a SLP server. If the variable is set to
domain, an attribute domain with a comma seperated list of
supported domainnames is set. Else this attribute will not be set.
- xfr_check_port: [<yes>|no]
- With this option enabled, the NIS master server has to run
on a priviliged port (< 1024). The default is "yes"
The field descriptions for the access rule lines are:
- IP address. Wildcards are allowed.
131.234. = 188.8.131.52/255.255.0.0
- specifies the domain, for which this rule should be
applied. An asterix as wildcard is allowed.
- name of the map, or asterisk for all maps.
- one of none, port, deny:
- always allow access.
- allow access if the client request originates from a
priviliged port (< 1024). Otherwise do not allow access.
- deny access to this map.
You can add /mangle:field
to the none
keywords. The :field part is optional. It will replace field number
(the default is 2, the password field of the passwd and shadow
maps) with the value x
for client requests from non-priviliged ports
(>= 1024) for the port
security keyword and in all cases for the
The access rules for special maps are no real improvement in security, but they
make the life a little bit harder for a potential hacker.
Solaris clients don't use privileged ports. All security options that depend on
privileged ports cause big problems on Solaris clients.
Thorsten Kukuk <firstname.lastname@example.org>