From: Steve Dickson <SteveD@redhat.com>
To: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: [PATCH 1/3] nfs-utils: Enabling TCP wrappers
Date: Mon, 15 Dec 2008 11:58:05 -0500 [thread overview]
Message-ID: <49468C9D.6070606@RedHat.com> (raw)
In-Reply-To: <49468BC7.2000907-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
commit 0e594fd44041c5c0562ed1dfc19d2c6d5d3ede0f
Author: Steve Dickson <steved@redhat.com>
Date: Mon Dec 15 10:52:01 2008 -0500
When clients are define as IP addresses in /etc/hosts.deny,
access is allow due to misinterpreting the return value of
hosts_ctl(). This patch reworks that logic which closes
that hole.
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
index e4f453b..ceea5ce 100644
--- a/support/misc/tcpwrapper.c
+++ b/support/misc/tcpwrapper.c
@@ -86,6 +86,9 @@ int hosts_ctl(char *daemon, char *name, char *addr, char *user)
#define log_client(addr, proc, prog) \
logit(allow_severity, addr, proc, prog, "")
+#define ALLOW 1
+#define DENY 0
+
int
good_client(daemon, addr)
char *daemon;
@@ -95,47 +98,44 @@ struct sockaddr_in *addr;
char **sp;
char *tmpname;
- /* Check the IP address first. */
- if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), ""))
- return 1;
-
- /* Check the hostname. */
- hp = gethostbyaddr ((const char *) &(addr->sin_addr),
- sizeof (addr->sin_addr), AF_INET);
-
- if (!hp)
- return 0;
-
- /* must make sure the hostent is authorative. */
- tmpname = alloca (strlen (hp->h_name) + 1);
- strcpy (tmpname, hp->h_name);
- hp = gethostbyname(tmpname);
- if (hp) {
- /* now make sure the "addr->sin_addr" is on the list */
+ /* First check the address. */
+ if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
+ return DENY;
+
+ /* Now do the hostname lookup */
+ hp = gethostbyaddr ((const char *) &(addr->sin_addr),
+ sizeof (addr->sin_addr), AF_INET);
+ if (!hp)
+ return DENY; /* never heard of it. misconfigured DNS? */
+
+ /* Make sure the hostent is authorative. */
+ tmpname = strdup(hp->h_name);
+ if (!tmpname)
+ return DENY;
+ hp = gethostbyname(tmpname);
+ free(tmpname);
+ if (!hp)
+ return DENY; /* never heard of it. misconfigured DNS? */
+
+ /* Now make sure the address is on the list */
for (sp = hp->h_addr_list ; *sp ; sp++) {
- if (memcmp(*sp, &(addr->sin_addr), hp->h_length)==0)
- break;
+ if (memcmp(*sp, &(addr->sin_addr), hp->h_length) == 0)
+ break;
}
if (!*sp)
- /* it was a FAKE. */
- return 0;
- }
- else
- /* never heard of it. misconfigured DNS? */
- return 0;
-
- /* Check the official name first. */
- if (hosts_ctl(daemon, hp->h_name, "", ""))
- return 1;
-
- /* Check aliases. */
- for (sp = hp->h_aliases; *sp ; sp++) {
- if (hosts_ctl(daemon, *sp, "", ""))
- return 1;
- }
-
- /* No match */
- return 0;
+ return DENY; /* it was a FAKE. */
+
+ /* Check the official name and address. */
+ if (hosts_ctl(daemon, hp->h_name, inet_ntoa(addr->sin_addr), "") == DENY)
+ return DENY;
+
+ /* Now check aliases. */
+ for (sp = hp->h_aliases; *sp ; sp++) {
+ if (hosts_ctl(daemon, *sp, inet_ntoa(addr->sin_addr), "") == DENY)
+ return DENY;
+ }
+
+ return ALLOW;
}
/* check_startup - additional startup code */
@@ -184,12 +184,13 @@ struct sockaddr_in *addr;
u_long proc;
u_long prog;
{
- if (!(from_local(addr) || good_client(daemon, addr))) {
- log_bad_host(addr, proc, prog);
- return (FALSE);
- }
- if (verboselog)
- log_client(addr, proc, prog);
+ if (!(from_local(addr) || good_client(daemon, addr))) {
+ log_bad_host(addr, proc, prog);
+ return (FALSE);
+ }
+ if (verboselog)
+ log_client(addr, proc, prog);
+
return (TRUE);
}
next prev parent reply other threads:[~2008-12-15 17:00 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-15 16:54 [PATCH 0/3] nfs-utils: Enabling TCP wrappers Steve Dickson
[not found] ` <49468BC7.2000907-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2008-12-15 16:58 ` Steve Dickson [this message]
2008-12-15 17:10 ` [PATCH 2/3] " Steve Dickson
2008-12-15 17:11 ` [PATCH 3/3] " Steve Dickson
2008-12-15 17:26 ` [PATCH 0/3] " Chuck Lever
2008-12-15 17:56 ` Steve Dickson
2008-12-18 19:59 ` Steve Dickson
[not found] ` <494AABA1.4070006-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2008-12-18 20:23 ` Chuck Lever
2008-12-18 20:49 ` Steve Dickson
[not found] ` <494AB74E.3040403-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2008-12-18 20:56 ` Chuck Lever
2008-12-18 21:21 ` Steve Dickson
2008-12-19 17:00 ` Steve Dickson
2008-12-20 12:35 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49468C9D.6070606@RedHat.com \
--to=steved@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.