Re: YP/NIS support in /etc/ethers, libc ether_ntohost/ether_hostton
Sure but the issue is that binaries over-reach beyond in a way that "getpw" supports for name lookups cannot help here. So the ether library routines need another non-obvious pledge. I refer to remove such YP support since use of it would be completely fringe. > On Thu, Nov 08, 2018 at 08:05:13PM -0500, Bryan Steele wrote: > > These libc functions are used to map hardware MAC addresses to hostnames > > and vice versa. If it exists, /etc/ethers will typically contain a > > number of lines like so: > > > > 34:00:8a:56:10:20 superman > > > > In addition to that, there is support for using a YP (nee Yellow Pee) > > lookup service: > > > > "If a '+' appears alone on a line in the file, then ether_hostton() will > > consult the x ethers.byname YP map, and ether_ntohost() will consult the > > ethers.byaddr YP map." > > > > This support currently interferes with my work to reduce the pledge(2) > > in tcpdump(8), as the "inet" promise is required to perform these > > lookups.. > > > > I've come up with small a diff to remove it, but it was suggested there > > may be some interactions with ldap, and I'm not sure how important this > > functionality may be to existing YP users (I am not one). > > ypldap does not provide ethers.byname or ethers.byaddr maps, if that's the > ldap interaction in question here. >
Re: YP/NIS support in /etc/ethers, libc ether_ntohost/ether_hostton
Paraphrasing an excerpt of my commit on getent(1) to add unveil(2): "After a discussion with millert@ regarding YP then deraadt@ chimed in referring that when he wrote this code even though we can have YP mappings with several of these dbs "it doesn't mean that things use it, or should, or will" so adding unveil(2) here should not impact any YP environments." I think we can let it go. On 22:01 Fri 09 Nov , Jonathan Matthew wrote: > On Thu, Nov 08, 2018 at 08:05:13PM -0500, Bryan Steele wrote: > > These libc functions are used to map hardware MAC addresses to hostnames > > and vice versa. If it exists, /etc/ethers will typically contain a > > number of lines like so: > > > > 34:00:8a:56:10:20 superman > > > > In addition to that, there is support for using a YP (nee Yellow Pee) > > lookup service: > > > > "If a '+' appears alone on a line in the file, then ether_hostton() will > > consult the x ethers.byname YP map, and ether_ntohost() will consult the > > ethers.byaddr YP map." > > > > This support currently interferes with my work to reduce the pledge(2) > > in tcpdump(8), as the "inet" promise is required to perform these > > lookups.. > > > > I've come up with small a diff to remove it, but it was suggested there > > may be some interactions with ldap, and I'm not sure how important this > > functionality may be to existing YP users (I am not one). > > ypldap does not provide ethers.byname or ethers.byaddr maps, if that's the > ldap interaction in question here. >
Re: YP/NIS support in /etc/ethers, libc ether_ntohost/ether_hostton
On Thu, Nov 08, 2018 at 08:05:13PM -0500, Bryan Steele wrote: > These libc functions are used to map hardware MAC addresses to hostnames > and vice versa. If it exists, /etc/ethers will typically contain a > number of lines like so: > > 34:00:8a:56:10:20 superman > > In addition to that, there is support for using a YP (nee Yellow Pee) > lookup service: > > "If a '+' appears alone on a line in the file, then ether_hostton() will > consult the x ethers.byname YP map, and ether_ntohost() will consult the > ethers.byaddr YP map." > > This support currently interferes with my work to reduce the pledge(2) > in tcpdump(8), as the "inet" promise is required to perform these > lookups.. > > I've come up with small a diff to remove it, but it was suggested there > may be some interactions with ldap, and I'm not sure how important this > functionality may be to existing YP users (I am not one). ypldap does not provide ethers.byname or ethers.byaddr maps, if that's the ldap interaction in question here.
Re: YP/NIS support in /etc/ethers, libc ether_ntohost/ether_hostton
This was suggested by deraadt@, sorry. On Thu, Nov 08, 2018 at 08:05:13PM -0500, Bryan Steele wrote: > These libc functions are used to map hardware MAC addresses to hostnames > and vice versa. If it exists, /etc/ethers will typically contain a > number of lines like so: > > 34:00:8a:56:10:20 superman > > In addition to that, there is support for using a YP (nee Yellow Pee) > lookup service: > > "If a '+' appears alone on a line in the file, then ether_hostton() will > consult the x ethers.byname YP map, and ether_ntohost() will consult the > ethers.byaddr YP map." > > This support currently interferes with my work to reduce the pledge(2) > in tcpdump(8), as the "inet" promise is required to perform these > lookups.. > > I've come up with small a diff to remove it, but it was suggested there > may be some interactions with ldap, and I'm not sure how important this > functionality may be to existing YP users (I am not one). > > Any objections to this approach? (Missing man page removal bits) > > -Bryan. > > Index: ethers.c > === > RCS file: /cvs/src/lib/libc/net/ethers.c,v > retrieving revision 1.25 > diff -u -p -u -r1.25 ethers.c > --- lib/libc/net/ethers.c 21 Sep 2016 04:38:56 - 1.25 > +++ lib/libc/net/ethers.c 8 Nov 2018 23:54:19 - > @@ -34,9 +34,6 @@ > #include > #include > #include > -#ifdef YP > -#include > -#endif > > #ifndef _PATH_ETHERS > #define _PATH_ETHERS "/etc/ethers" > @@ -99,18 +96,6 @@ ether_ntohost(char *hostname, struct eth > char buf[BUFSIZ+1], *p; > size_t len; > struct ether_addr try; > -#ifdef YP > - char trybuf[sizeof("xx:xx:xx:xx:xx:xx")]; > - int trylen; > -#endif > - > -#ifdef YP > - snprintf(trybuf, sizeof trybuf, "%x:%x:%x:%x:%x:%x", > - e->ether_addr_octet[0], e->ether_addr_octet[1], > - e->ether_addr_octet[2], e->ether_addr_octet[3], > - e->ether_addr_octet[4], e->ether_addr_octet[5]); > - trylen = strlen(trybuf); > -#endif > > f = fopen(_PATH_ETHERS, "re"); > if (f == NULL) > @@ -123,26 +108,9 @@ ether_ntohost(char *hostname, struct eth > (void)memcpy(buf, p, len); > buf[len] = '\n';/* code assumes newlines later on */ > buf[len+1] = '\0'; > -#ifdef YP > - /* A + in the file means try YP now. */ > - if (!strncmp(buf, "+\n", sizeof(buf))) { > - char *ypbuf, *ypdom; > - int ypbuflen; > - > - if (yp_get_default_domain()) > - continue; > - if (yp_match(ypdom, "ethers.byaddr", trybuf, > - trylen, , )) > - continue; > - if (ether_line(ypbuf, , hostname) == 0) { > - free(ypbuf); > - (void)fclose(f); > - return (0); > - } > - free(ypbuf); > + /* A + in the file meant try YP, ignore it. */ > + if (!strncmp(buf, "+\n", sizeof(buf))) > continue; > - } > -#endif > if (ether_line(buf, , hostname) == 0 && > memcmp(, e, sizeof(try)) == 0) { > (void)fclose(f); > @@ -161,9 +129,6 @@ ether_hostton(const char *hostname, stru > char buf[BUFSIZ+1], *p; > char try[HOST_NAME_MAX+1]; > size_t len; > -#ifdef YP > - int hostlen = strlen(hostname); > -#endif > > f = fopen(_PATH_ETHERS, "re"); > if (f==NULL) > @@ -177,26 +142,9 @@ ether_hostton(const char *hostname, stru > memcpy(buf, p, len); > buf[len] = '\n';/* code assumes newlines later on */ > buf[len+1] = '\0'; > -#ifdef YP > - /* A + in the file means try YP now. */ > - if (!strncmp(buf, "+\n", sizeof(buf))) { > - char *ypbuf, *ypdom; > - int ypbuflen; > - > - if (yp_get_default_domain()) > - continue; > - if (yp_match(ypdom, "ethers.byname", hostname, hostlen, > - , )) > - continue; > - if (ether_line(ypbuf, e, try) == 0) { > - free(ypbuf); > - (void)fclose(f); > - return (0); > - } > - free(ypbuf); > + /* A + in the file meant try YP, ignore it. */ > + if (!strncmp(buf, "+\n", sizeof(buf))) > continue; > - } > -#endif > if (ether_line(buf, e, try) == 0 && strcmp(hostname, try) == 0) > { > (void)fclose(f); > return (0);
YP/NIS support in /etc/ethers, libc ether_ntohost/ether_hostton
These libc functions are used to map hardware MAC addresses to hostnames and vice versa. If it exists, /etc/ethers will typically contain a number of lines like so: 34:00:8a:56:10:20 superman In addition to that, there is support for using a YP (nee Yellow Pee) lookup service: "If a '+' appears alone on a line in the file, then ether_hostton() will consult the x ethers.byname YP map, and ether_ntohost() will consult the ethers.byaddr YP map." This support currently interferes with my work to reduce the pledge(2) in tcpdump(8), as the "inet" promise is required to perform these lookups.. I've come up with small a diff to remove it, but it was suggested there may be some interactions with ldap, and I'm not sure how important this functionality may be to existing YP users (I am not one). Any objections to this approach? (Missing man page removal bits) -Bryan. Index: ethers.c === RCS file: /cvs/src/lib/libc/net/ethers.c,v retrieving revision 1.25 diff -u -p -u -r1.25 ethers.c --- lib/libc/net/ethers.c 21 Sep 2016 04:38:56 - 1.25 +++ lib/libc/net/ethers.c 8 Nov 2018 23:54:19 - @@ -34,9 +34,6 @@ #include #include #include -#ifdef YP -#include -#endif #ifndef _PATH_ETHERS #define _PATH_ETHERS "/etc/ethers" @@ -99,18 +96,6 @@ ether_ntohost(char *hostname, struct eth char buf[BUFSIZ+1], *p; size_t len; struct ether_addr try; -#ifdef YP - char trybuf[sizeof("xx:xx:xx:xx:xx:xx")]; - int trylen; -#endif - -#ifdef YP - snprintf(trybuf, sizeof trybuf, "%x:%x:%x:%x:%x:%x", - e->ether_addr_octet[0], e->ether_addr_octet[1], - e->ether_addr_octet[2], e->ether_addr_octet[3], - e->ether_addr_octet[4], e->ether_addr_octet[5]); - trylen = strlen(trybuf); -#endif f = fopen(_PATH_ETHERS, "re"); if (f == NULL) @@ -123,26 +108,9 @@ ether_ntohost(char *hostname, struct eth (void)memcpy(buf, p, len); buf[len] = '\n';/* code assumes newlines later on */ buf[len+1] = '\0'; -#ifdef YP - /* A + in the file means try YP now. */ - if (!strncmp(buf, "+\n", sizeof(buf))) { - char *ypbuf, *ypdom; - int ypbuflen; - - if (yp_get_default_domain()) - continue; - if (yp_match(ypdom, "ethers.byaddr", trybuf, - trylen, , )) - continue; - if (ether_line(ypbuf, , hostname) == 0) { - free(ypbuf); - (void)fclose(f); - return (0); - } - free(ypbuf); + /* A + in the file meant try YP, ignore it. */ + if (!strncmp(buf, "+\n", sizeof(buf))) continue; - } -#endif if (ether_line(buf, , hostname) == 0 && memcmp(, e, sizeof(try)) == 0) { (void)fclose(f); @@ -161,9 +129,6 @@ ether_hostton(const char *hostname, stru char buf[BUFSIZ+1], *p; char try[HOST_NAME_MAX+1]; size_t len; -#ifdef YP - int hostlen = strlen(hostname); -#endif f = fopen(_PATH_ETHERS, "re"); if (f==NULL) @@ -177,26 +142,9 @@ ether_hostton(const char *hostname, stru memcpy(buf, p, len); buf[len] = '\n';/* code assumes newlines later on */ buf[len+1] = '\0'; -#ifdef YP - /* A + in the file means try YP now. */ - if (!strncmp(buf, "+\n", sizeof(buf))) { - char *ypbuf, *ypdom; - int ypbuflen; - - if (yp_get_default_domain()) - continue; - if (yp_match(ypdom, "ethers.byname", hostname, hostlen, - , )) - continue; - if (ether_line(ypbuf, e, try) == 0) { - free(ypbuf); - (void)fclose(f); - return (0); - } - free(ypbuf); + /* A + in the file meant try YP, ignore it. */ + if (!strncmp(buf, "+\n", sizeof(buf))) continue; - } -#endif if (ether_line(buf, e, try) == 0 && strcmp(hostname, try) == 0) { (void)fclose(f); return (0);