[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NFS tcp wrapper situation



Ric Wheeler wrote:

* BAD POLICY and MISCONFIGURATION.
TCP wrappers is behaving exactly how it is defined in policy.  Hostname
in hosts.deny (itself always a bad idea) is dependent on the DNS server
to be properly configured and operating.  Failure due to hostnames in
/etc/hosts.deny is MISCONFIGURATION.  If they are really concerned about
unknown clients connecting to that service, then they should use a
wildcard like "mountd: ALL" and allow specific hosts or IP ranges in
/etc/hosts.allow.

I disagree - you can easily get into a situation here where a user has put "badhost.example.com" into hosts.deny and by your argument, if DNS lookup fails, you will always allow them in.

My point is a sysadmin shouldn't be doing that, because it is ALWAYS a bad idea and a misconfiguration. They should instead set a wildcard to deny everything and allow only specific hosts in /etc/hosts.allow. Then the DNS-is-down or DNS-reverse-failure case properly fail as expected.

My points go on further to say that we don't second guess the bad policy if the user does something equally foolish with iptables, or tcp wrappers with sshd remains "vulnerable" in the way you are trying to shoe-horn into nfs-utils.

In any case I think it is a bad idea to add this to nfs-utils, but we did agree to do so today. While I continue to disagree, I'm satisfied enough to just let it happen. We all wasted a serious amount of time over this non-issue.


A different (and very valid) argument can be made that tcp wrappers are garbage and that we should not ship them. Until then, I would argue that we should fix them to work as expected.


+1.  We really need to stop shipping this crap.

Warren Togami
wtogami redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]