[PATCH] mountd: Don't do tcp wrapper check when there are no rules
Zoltan Boszormenyi
zboszor at freemail.hu
Tue Jan 20 18:11:31 UTC 2009
Steve Dickson írta:
> Warren Togami wrote:
>
>> Steve Dickson wrote:
>>
>>>> I am not saying "without doing a reverse name lookup". Just remove the
>>>> hardcoded part that makes it fatal.
>>>>
>>> which means the entry in /etc/hosts.deny will be ignored possibly
>>> allowing
>>> access to machine that should be denied.
>>>
>> Access control by hostname is highly imperfect and insecure to begin
>> with. Haven't we learned this from rsh?
>>
>> How much sense does it make for someone to add every possible hostname
>> to deny in /etc/hosts.deny? If they want to limit access via tcp
>> wrappers, they would instead mountd: * in /etc/hosts.deny and add
>> specific hosts to /etc/hosts.allow.
>>
> Now who is dictating policy! 8-)
>
The admin is... by hosts.allow and hosts.deny.
nfs-utils' rule is to obey the policy set by the admin.
>> We need to accept that tcp wrappers is insecure (easy to spoof,
>> unencrypted) and thus imperfect. Stop trying to add hacks to shine up
>> this turd. What other services impose such a denial by default due to
>> tcp wrappers? This is simply a bad idea.
>>
> This is not for me to say... I'm just try to get the code working with
> out breaking anybody's world...
>
> steved.
>
>
More information about the fedora-devel-list
mailing list