8:58 a.m.
Steve Dickson wrote:
Its been point out that if there are are no rules in either
/etc/hosts.deny or /etc/hosts.allow there is no need to do any
validity checking on the incoming address.
Unfortunately there is no interface that will easily
let me know if there are any rules so I simply read
in both files looking for non-commented lines.
steved.
This means if somebody adds a tcp wrapper rule for something other than
mountd, it still effects the behavior of mountd? How does that make any
sense?
Why do you not see that "deny on reverse DNS failure" is not mutually
exclusive with "enable TCP wrappers"? This is based upon a
MISINTERPRETATION of how tcp wrappers should behave. You are hard
coding policy into nfs-utils.
All you need to do is make "deny on reverse DNS failure" disabled by
default, and let the admin choose to enable it. This would be simpler
than your above imperfect hack as well as more correct.
Warren Togami
wtogami(a)redhat.com
9:06 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Warren Togami wrote:
Steve Dickson wrote:
> Its been point out that if there are are no rules in either
> /etc/hosts.deny or /etc/hosts.allow there is no need to do any
> validity checking on the incoming address.
>
> Unfortunately there is no interface that will easily
> let me know if there are any rules so I simply read
> in both files looking for non-commented lines.
>
> steved.
This means if somebody adds a tcp wrapper rule for something other than
mountd, it still effects the behavior of mountd? How does that make any
sense?
Good point...
Why do you not see that "deny on reverse DNS failure" is not mutually
exclusive with "enable TCP wrappers"? This is based upon a
MISINTERPRETATION of how tcp wrappers should behave. You are hard
coding policy into nfs-utils.
Please tell how I check a 'mountd:
<hostname>' entry in the /etc/hosts.deny
with only an IP address without doing a reverse name lookup?
All you need to do is make "deny on reverse DNS failure" disabled by
default, and let the admin choose to enable it. This would be simpler
than your above imperfect hack as well as more correct.
This feels like a bit of
hack as well...
steved.
9:09 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Steve Dickson wrote:
> Why do you not see that "deny on reverse DNS failure"
is not mutually
> exclusive with "enable TCP wrappers"? This is based upon a
> MISINTERPRETATION of how tcp wrappers should behave. You are hard
> coding policy into nfs-utils.
Please tell how I check a 'mountd: <hostname>' entry in the /etc/hosts.deny
with only an IP address without doing a reverse name lookup?
I am not saying "without doing a reverse name lookup". Just remove the
hardcoded part that makes it fatal.
> All you need to do is make "deny on reverse DNS failure" disabled by
> default, and let the admin choose to enable it. This would be simpler
> than your above imperfect hack as well as more correct.
This feels like a bit of hack as well...
You hard coded policy. How was that not a hack?
Warren Togami
wtogami(a)redhat.com
9:14 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Warren Togami wrote:
Steve Dickson wrote:
>> Why do you not see that "deny on reverse DNS failure" is not mutually
>> exclusive with "enable TCP wrappers"? This is based upon a
>> MISINTERPRETATION of how tcp wrappers should behave. You are hard
>> coding policy into nfs-utils.
> Please tell how I check a 'mountd: <hostname>' entry in the
> /etc/hosts.deny with only an IP address without doing a reverse name
> lookup?
I am not saying "without doing a reverse name lookup". Just remove the
hardcoded part that makes it fatal.
which means the entry in /etc/hosts.deny will
be ignored possibly allowing
access to machine that should be denied.
steved.
9:27 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Steve Dickson wrote:
> I am not saying "without doing a reverse name lookup".
Just remove the
> hardcoded part that makes it fatal.
which means the entry in /etc/hosts.deny will be ignored possibly allowing
access to machine that should be denied.
Access control by hostname is highly imperfect and insecure to begin
with. Haven't we learned this from rsh?
How much sense does it make for someone to add every possible hostname
to deny in /etc/hosts.deny? If they want to limit access via tcp
wrappers, they would instead mountd: * in /etc/hosts.deny and add
specific hosts to /etc/hosts.allow.
We need to accept that tcp wrappers is insecure (easy to spoof,
unencrypted) and thus imperfect. Stop trying to add hacks to shine up
this turd. What other services impose such a denial by default due to
tcp wrappers? This is simply a bad idea.
Warren Togami
wtogami(a)redhat.com
9:35 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Warren Togami wrote:
Steve Dickson wrote:
>> I am not saying "without doing a reverse name lookup". Just remove
the
>> hardcoded part that makes it fatal.
> which means the entry in /etc/hosts.deny will be ignored possibly
> allowing
> access to machine that should be denied.
Access control by hostname is highly imperfect and insecure to begin
with. Haven't we learned this from rsh?
How much sense does it make for someone to add every possible hostname
to deny in /etc/hosts.deny? If they want to limit access via tcp
wrappers, they would instead mountd: * in /etc/hosts.deny and add
specific hosts to /etc/hosts.allow.
Now who is dictating policy! 8-)
We need to accept that tcp wrappers is insecure (easy to spoof,
unencrypted) and thus imperfect. Stop trying to add hacks to shine up
this turd. What other services impose such a denial by default due to
tcp wrappers? This is simply a bad idea.
This is not for me to say... I'm just
try to get the code working with
out breaking anybody's world...
steved.
12:11 p.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Steve Dickson írta:
Warren Togami wrote:
> Steve Dickson wrote:
>
>>> I am not saying "without doing a reverse name lookup". Just remove
the
>>> hardcoded part that makes it fatal.
>>>
>> which means the entry in /etc/hosts.deny will be ignored possibly
>> allowing
>> access to machine that should be denied.
>>
> Access control by hostname is highly imperfect and insecure to begin
> with. Haven't we learned this from rsh?
>
> How much sense does it make for someone to add every possible hostname
> to deny in /etc/hosts.deny? If they want to limit access via tcp
> wrappers, they would instead mountd: * in /etc/hosts.deny and add
> specific hosts to /etc/hosts.allow.
>
Now who is dictating policy! 8-)
The admin is... by hosts.allow and hosts.deny.
nfs-utils' rule is to obey the policy set by the admin.
> We need to accept that tcp wrappers is insecure (easy to spoof,
> unencrypted) and thus imperfect. Stop trying to add hacks to shine up
> this turd. What other services impose such a denial by default due to
> tcp wrappers? This is simply a bad idea.
>
This is not for me to say... I'm just try to get the code working with
out breaking anybody's world...
steved.
9:21 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Jan 18 01:56:48 newcaprica useradd[15194]: failed adding user `rpcuser',
data deleted
BTW, why does /var/log/messages have something like this every time the
nfs-utils package is upgraded?
Warren
9:22 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Hi.
On Tue, 20 Jan 2009 10:06:05 -0500, Steve Dickson wrote:
Please tell how I check a 'mountd: <hostname>' entry
in
the /etc/hosts.deny with only an IP address without doing a reverse
name lookup?
You can't, and no one is denying that as far as I can see. And I'd
actually consider this to be failing on the safe side.
But, given an entry in hosts.allow like this:
mountd: host.example.com 192.168.1.1
denying the ip 192.168.1.1 just because it does not have a hostname
associated with it would be just wrong.
9:30 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Ralf Ertzinger wrote:
Hi.
On Tue, 20 Jan 2009 10:06:05 -0500, Steve Dickson wrote:
> Please tell how I check a 'mountd: <hostname>' entry in
> the /etc/hosts.deny with only an IP address without doing a reverse
> name lookup?
You can't, and no one is denying that as far as I can see. And I'd
actually consider this to be failing on the safe side.
But, given an entry in hosts.allow like this:
mountd: host.example.com 192.168.1.1
denying the ip 192.168.1.1 just because it does not have a hostname
associated with it would be just wrong.
Remember I said _matching_ IP... meaning if
the above line
was in hosts.allow and client 192.168.1.1 did a mount
the client would be allow the mount without doing a lookup
because there was a matching IP address entry...
Now if client 192.168.1.2 did a mount, there would not be a
IP matching entry in hosts.allow so a lookup would be necessary
to see if a 'mountd: <hostname>' exists in hosts.deny.
Is that making sense?
steved.
9:37 a.m.
New subject: [PATCH] mountd: Don't do tcp wrapper check when there are no rules
Hi.
On Tue, 20 Jan 2009 10:30:43 -0500, Steve Dickson wrote:
Now if client 192.168.1.2 did a mount, there would not be a
IP matching entry in hosts.allow so a lookup would be necessary
to see if a 'mountd: <hostname>' exists in hosts.deny.
Is that making sense?
Yes.
5625
days inactive
5625
days old
10 comments
4 participants
participants (4)
-
Ralf Ertzinger -
Steve Dickson -
Warren Togami -
Zoltan Boszormenyi