When using /var/yp/securenet the local host running ypserv wasn't garanteed

access to ypserv. This has been fixed by always allowing the host 127.0.0.1
access when using /var/yp/securenet. This to keep compability with SunOS.

When using the ypserv.acl(5) format access must be granted to 127.0.0.1 in
the file. This to make it possible to disallow access to ypserv from the
host running it. This has been documented in man page and example.

Thanks to <Ulrich.Flegel@braunschweig.netsurf.de> for bringing this to
my attention (again). -moj

3 files changed, 16 insertions, 3 deletions

diff --git a/usr.sbin/ypserv/ypserv/acl.c b/usr.sbin/ypserv/ypserv/acl.c
index 22494083799..62292a4ad8b 100644
--- a/usr.sbin/ypserv/ypserv/acl.c
+++ b/usr.sbin/ypserv/ypserv/acl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: acl.c,v 1.4 1996/06/30 19:46:04 maja Exp $ */
+/*	$OpenBSD: acl.c,v 1.5 1997/08/05 09:26:55 maja Exp $ */
 
 /*
  * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@@ -32,7 +32,7 @@
  */
 
 #ifndef LINT
-static char rcsid[] = "$OpenBSD: acl.c,v 1.4 1996/06/30 19:46:04 maja Exp $";
+static char rcsid[] = "$OpenBSD: acl.c,v 1.5 1997/08/05 09:26:55 maja Exp $";
 #endif
 
 #include <sys/types.h>
@@ -471,6 +471,13 @@ char *file;
     data_file = fopen(file,"r");
   };
 
+  /* Always add a localhost allow first, to be compatable with sun */
+  
+  addr.s_addr = htonl(0x7f000001);
+  mask.s_addr = htonl(0xffffffff);
+  allow = TRUE;
+  acl_add_net(allow,&addr,&mask);
+
   while ((data_file != NULL) &&
 	 (acl_read_line(data_file,data_line,sizeof(data_line)))) {
     
diff --git a/usr.sbin/ypserv/ypserv/ypserv.acl b/usr.sbin/ypserv/ypserv/ypserv.acl
index 33c68568c80..afeb86fcb1b 100644
--- a/usr.sbin/ypserv/ypserv/ypserv.acl
+++ b/usr.sbin/ypserv/ypserv/ypserv.acl
@@ -13,6 +13,7 @@
 # To process hostname gethostbyname is called. If the hostname has multiple
 # ip-addresses all will be added (I hope). ip-address is processed by
 # inet_aton.
+allow host localhost
 deny host jodie
 
 #############################################################################
diff --git a/usr.sbin/ypserv/ypserv/ypserv.acl.5 b/usr.sbin/ypserv/ypserv/ypserv.acl.5
index 000824a474f..4e00b7bca1b 100644
--- a/usr.sbin/ypserv/ypserv/ypserv.acl.5
+++ b/usr.sbin/ypserv/ypserv/ypserv.acl.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ypserv.acl.5,v 1.5 1996/07/04 21:17:15 deraadt Exp $
+.\"	$OpenBSD: ypserv.acl.5,v 1.6 1997/08/05 09:26:56 maja Exp $
 .\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
 .\" All rights reserved.
 .\"
@@ -72,6 +72,10 @@ If access is denied every call will cause a
 .Nm no such domain
 error for the caller.
 .Pp
+Don't forget to allow localhost access if you want the machine running
+.Nm ypserv
+access it too.
+.Pp
 There is no default name for this file. Start 
 .Nm ypserv
 with a
@@ -131,6 +135,7 @@ A configuration file might appear as follows:
 # To process hostname gethostbyname is called. If the hostname has
 # multiple ip-addresses all will be added (I hope). ip-address
 # processed by inet_aton.
+allow host localhost
 deny host jodie
 
 ###########################################################################