NFS tcp wrapper situation

Warren Togami wtogami at redhat.com
Wed Jan 21 04:17:15 UTC 2009


Ric Wheeler wrote:
>>
>> * BAD POLICY and MISCONFIGURATION.
>> TCP wrappers is behaving exactly how it is defined in policy.  Hostname
>> in hosts.deny (itself always a bad idea) is dependent on the DNS server
>> to be properly configured and operating.  Failure due to hostnames in
>> /etc/hosts.deny is MISCONFIGURATION.  If they are really concerned about
>> unknown clients connecting to that service, then they should use a
>> wildcard like "mountd: ALL" and allow specific hosts or IP ranges in
>> /etc/hosts.allow.
> 
> I disagree - you can easily get into a situation here where a user has 
> put "badhost.example.com" into hosts.deny and by your argument, if DNS 
> lookup fails, you will always allow them in.

My point is a sysadmin shouldn't be doing that, because it is ALWAYS a 
bad idea and a misconfiguration.  They should instead set a wildcard to 
deny everything and allow only specific hosts in /etc/hosts.allow.  Then 
the DNS-is-down or DNS-reverse-failure case properly fail as expected.

My points go on further to say that we don't second guess the bad policy 
if the user does something equally foolish with iptables, or tcp 
wrappers with sshd remains "vulnerable" in the way you are trying to 
shoe-horn into nfs-utils.

In any case I think it is a bad idea to add this to nfs-utils, but we 
did agree to do so today.  While I continue to disagree, I'm satisfied 
enough to just let it happen.  We all wasted a serious amount of time 
over this non-issue.

> 
> A different (and very valid) argument can be made that tcp wrappers are 
> garbage and that we should not ship them. Until then, I would argue that 
> we should fix them to work as expected.
> 

+1.  We really need to stop shipping this crap.

Warren Togami
wtogami at redhat.com




More information about the fedora-devel-list mailing list