Ric Wheeler wrote:
* BAD POLICY and MISCONFIGURATION.
TCP wrappers is behaving exactly how it is defined in policy. Hostname
in hosts.deny (itself always a bad idea) is dependent on the DNS server
to be properly configured and operating. Failure due to hostnames in
/etc/hosts.deny is MISCONFIGURATION. If they are really concerned about
unknown clients connecting to that service, then they should use a
wildcard like "mountd: ALL" and allow specific hosts or IP ranges in
/etc/hosts.allow.
I disagree - you can easily get into a situation here where a user has
put "badhost.example.com" into hosts.deny and by your argument, if DNS
lookup fails, you will always allow them in.
My point is a sysadmin shouldn't be doing that, because it is ALWAYS a
bad idea and a misconfiguration. They should instead set a wildcard to
deny everything and allow only specific hosts in /etc/hosts.allow. Then
the DNS-is-down or DNS-reverse-failure case properly fail as expected.
My points go on further to say that we don't second guess the bad policy
if the user does something equally foolish with iptables, or tcp
wrappers with sshd remains "vulnerable" in the way you are trying to
shoe-horn into nfs-utils.
In any case I think it is a bad idea to add this to nfs-utils, but we
did agree to do so today. While I continue to disagree, I'm satisfied
enough to just let it happen. We all wasted a serious amount of time
over this non-issue.
A different (and very valid) argument can be made that tcp wrappers are
garbage and that we should not ship them. Until then, I would argue that
we should fix them to work as expected.
+1. We really need to stop shipping this crap.
Warren Togami
wtogami@xxxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
