[PATCH] mountd: Don't do tcp wrapper check when there are no rules

Steve Dickson SteveD at redhat.com
Tue Jan 20 15:35:31 UTC 2009


Warren Togami wrote:
> Steve Dickson wrote:
>>> I am not saying "without doing a reverse name lookup".  Just remove the
>>> hardcoded part that makes it fatal.
>> which means the entry in /etc/hosts.deny will be ignored possibly
>> allowing
>> access to machine that should be denied.
> 
> Access control by hostname is highly imperfect and insecure to begin
> with.  Haven't we learned this from rsh?
> 
> How much sense does it make for someone to add every possible hostname
> to deny in /etc/hosts.deny?  If they want to limit access via tcp
> wrappers, they would instead mountd: * in /etc/hosts.deny and add
> specific hosts to /etc/hosts.allow.
Now who is dictating policy! 8-)

> 
> We need to accept that tcp wrappers is insecure (easy to spoof,
> unencrypted) and thus imperfect.  Stop trying to add hacks to shine up
> this turd.  What other services impose such a denial by default due to
> tcp wrappers?  This is simply a bad idea.
This is not for me to say... I'm just try to get the code working with
out breaking anybody's world... 

steved.




More information about the devel mailing list