COMMAND

    ypbind(8)

SYSTEMS AFFECTED

    SunOS 3.x, SunOs 4.0

PROBLEM

    ypbind  will  happily  accept  ypset  requests from the network to
    change the ypserv for a domain. (This is of curse documented as  a
    recommended way to  tell ypbind about  ypservs on other  networks,
    since ypbind uses broadcasts to  find out it's ypserv). So  anyone
    can tell your ypbin to use  them as ypserv, give it a  fake passwd
    file,  and  login  as  root,  *IF*  they  know,  or can guess your
    domainname.  And  of  curse,  anyone  that  has an account in your
    machine can trivially find  out your domainame. The  problem could
    probably  be  fixed  by  changing  ypbind  so it accepts a list of
    trusted hosts for  ypset requests, or  better yet, accepts  a list
    at startup from some trustworthy  file. Which leads to the  second
    problem...  anyone  in  your  machine  can  start  up  their   own
    ypbind  --  the  old  ypbind  will  gracefully(!)  yield to it. If
    you  have  SunOS  src  in  your  system,  or  have someone capable
    of  writing   a  ypbind   substitute  that   behaves  differently,
    then  there  doesn't  seam  to  be  much  one  can do to stop them
    from  replacing  your  ypbind;  it  would  appear  to be a feature
    of  Sun  RPC.  I  suspect  it  is  possible  to  have a machine on
    your  ethernet  that  listens   for  YP  broadcast  requests   and
    replies  quickly,  beating  out  the  real  ypserv.  But  that's a
    different  kettle  of  fish  --  you  pretty  much  have  to trust
    everyone in your ethernet anyway.