Description of problem: The documentation that shows how to create a secure NIS server is incorrect. The documentation does not make the NIS server use static ports. I have found a fix to the problem and it is quite easy to make the change to the documentation. In the section titled "5.3.4. Assign Static Ports and Use IPTables Rules" it says to change the /etc/sysconfig/network file in order to allow static ports for NIS. The documentation at this moment says that the two lines YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835" should be added to the file to create the static ports. I tried to get it working under this change and could not. But I found that the simple change of editing those new lines to be YPSERV_ARGS="--port 834" YPXFRD_ARGS="--port 835" will create the desired effect. Just to let you know. Version-Release number of selected component (if applicable): rhel-sg(EN)-3-HTML-RHI (2003-07-25T17:12) How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
reassigning to mainatiner. J
hi David, please check the relevance of this in regards to where we are with documenting security? cheers Mike
emailed twoerner for validation. David
The following comment from twoerner: From the ypserv man page: -p --port port ypserv will bind itself to this port. This makes it possible to have a router filter packets to the NIS ports, so that access to the NIS server from hosts on the Internet can be restricted. From the rpc.ypxfrd man page: -p port rpc.ypxfrd will bind itself to this port, which makes it possi- ble to have a router filter packets to the NIS ports. This can restrict the access to the NIS server from hosts on the Inter- net. So I do not think that it is a good idea to change YPXFRD_ARGS to "--port 835", because rpc.ypxfrd does not accept --port as an option. I'm not changing the doc for the present. I'll try to get someone to actually test this and validate what works and what doesn't.
Adding 'cc ecs-dev-list for tracking
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.