[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] mountd: Don't do tcp wrapper check when there are no rules



Steve Dickson wrote:
I am not saying "without doing a reverse name lookup".  Just remove the
hardcoded part that makes it fatal.
which means the entry in /etc/hosts.deny will be ignored possibly allowing
access to machine that should be denied.

Access control by hostname is highly imperfect and insecure to begin with. Haven't we learned this from rsh?

How much sense does it make for someone to add every possible hostname to deny in /etc/hosts.deny? If they want to limit access via tcp wrappers, they would instead mountd: * in /etc/hosts.deny and add specific hosts to /etc/hosts.allow.

We need to accept that tcp wrappers is insecure (easy to spoof, unencrypted) and thus imperfect. Stop trying to add hacks to shine up this turd. What other services impose such a denial by default due to tcp wrappers? This is simply a bad idea.

Warren Togami
wtogami redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]