[PATCH] mountd: Don't do tcp wrapper check when there are no rules
Warren Togami
wtogami at redhat.com
Tue Jan 20 15:27:30 UTC 2009
Steve Dickson wrote:
>> I am not saying "without doing a reverse name lookup". Just remove the
>> hardcoded part that makes it fatal.
> which means the entry in /etc/hosts.deny will be ignored possibly allowing
> access to machine that should be denied.
>
Access control by hostname is highly imperfect and insecure to begin
with. Haven't we learned this from rsh?
How much sense does it make for someone to add every possible hostname
to deny in /etc/hosts.deny? If they want to limit access via tcp
wrappers, they would instead mountd: * in /etc/hosts.deny and add
specific hosts to /etc/hosts.allow.
We need to accept that tcp wrappers is insecure (easy to spoof,
unencrypted) and thus imperfect. Stop trying to add hacks to shine up
this turd. What other services impose such a denial by default due to
tcp wrappers? This is simply a bad idea.
Warren Togami
wtogami at redhat.com
More information about the devel
mailing list