On 01/05/13 23:13, NeilBrown wrote:
> Subject: Fix recent fix to Avoid DNS reverse resolution in gssd.
>
> The final version for this fix that was committed inverted the test
> so makes no change in the important cases.
> The documentation didn't really help a naive user know when the new -D flag
> should be used.
> And the code (once fixed) avoided DNS resolution on non-qualified names too,
> which probably isn't a good idea.
>
> This patch fixes all three issues.
>
> Signed-off-by: NeilBrown <neilb@xxxxxxx>
Committed....
steved.
>
>
> diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
> index 1df75c5..ac13fd4 100644
> --- a/utils/gssd/gssd.man
> +++ b/utils/gssd/gssd.man
> @@ -195,11 +195,28 @@ option when starting
> .BR rpc.gssd .
> .SH OPTIONS
> .TP
> -.B -D
> -DNS Reverse lookups are not used for determining the
> -server names pass to GSSAPI. This option will reverses that and forces
> -the use of DNS Reverse resolution of the server's IP address to
> -retrieve the server name to use in GSAPI authentication.
> +.B \-D
> +The server name passed to GSSAPI for authentication is normally the
> +name exactly as requested. e.g. for NFS
> +it is the server name in the "servername:/path" mount request. Only if this
> +servername appears to be an IP address (IPv4 or IPv6) or an
> +unqualified name (no dots) will a reverse DNS lookup
> +will be performed to get the canoncial server name.
> +
> +If
> +.B \-D
> +is present, a reverse DNS lookup will
> +.I always
> +be used, even if the server name looks like a canonical name. So it
> +is needed if partially qualified, or non canonical names are regularly
> +used.
> +
> +Using
> +.B \-D
> +can introduce a security vulnerability, so it is recommended that
> +.B \-D
> +not be used, and that canonical names always be used when requesting
> +services.
> .TP
> .B -f
> Runs
> diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
> index af1844c..d381664 100644
> --- a/utils/gssd/gssd_proc.c
> +++ b/utils/gssd/gssd_proc.c
> @@ -176,7 +176,6 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
> char *hostname;
> char hbuf[NI_MAXHOST];
> unsigned char buf[sizeof(struct in6_addr)];
> - int servername = 0;
>
> if (avoid_dns) {
> /*
> @@ -184,15 +183,18 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
> * If it is an IP address, do the DNS lookup otherwise
> * skip the DNS lookup.
> */
> - servername = 0;
> - if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1)
> - servername = 1; /* IPv4 */
> - else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1)
> - servername = 1; /* or IPv6 */
> -
> - if (servername) {
> + int is_fqdn = 1;
> + if (strchr(name, '.') == NULL)
> + is_fqdn = 0; /* local name */
> + else if (inet_pton(AF_INET, name, buf) == 1)
> + is_fqdn = 0; /* IPv4 address */
> + else if (inet_pton(AF_INET6, name, buf) == 1)
> + is_fqdn = 0; /* IPv6 addrss */
> +
> + if (is_fqdn) {
> return strdup(name);
> }
> + /* Sorry, cannot avoid dns after all */
> }
>
> switch (sa->sa_family) {
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
