From: Steve Dickson <SteveD@redhat.com>
To: Linux NFS Mailing list <linux-nfs@vger.kernel.org>
Subject: [PATCH 0/3] nfs-utils: Enabling TCP wrappers Part 2
Date: Fri, 23 Jan 2009 12:59:10 -0500 [thread overview]
Message-ID: <497A056E.1030606@RedHat.com> (raw)
Now that TCP wrapper are actually working as expected, it causing
problems in configuration that don't support reverse host name
lookups.
For TCP wrappers to actually work correctly, an IP address have to be
converted into host name, to cover the possibility that host names
are used in either the /etc/hosts.deny or /etc/hosts.allow files.
If that IP conversion (i.e. reverse hostname lookup) fails, the
mount has to failed otherwise it open up a security hole since
the host name can not be checked.
In smaller "at home" configurations, this failure cause a great deal
of pain since there will never any type of DNS services and for some
reasons (which were beyond me) adding the IP address to /etc/hosts
was not an option. So this patch set allows configurations like
those to, once again, just work, plus it also stop a needless lookup
when there are no tcp wrapper rules, which is %99.99 of the time.
Patch 01 - I was caching the results of the host access query using
the IP address, program number and produce number which
was creating too many cache entries for a single host.
All that's really needed is to has on the the IP address
and program number.
Patch 02 - This is a repost of a previous patch that will not
do the host access checks if there are no rules in
either hosts.allow or hosts.deny. This version includes
the suggestion from Chuck Lever that blank lines should
also be ignored.
Patch 03 - This patch adds a --insecure | -i command line argument that
completely turns all of the host access checking. I was a bit
hesitant about doing this, but once I saw other daemon having
option I figured it would be good to have.
Comments/Issues?
steved.
next reply other threads:[~2009-01-23 18:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-23 17:59 Steve Dickson [this message]
[not found] ` <497A056E.1030606-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:10 ` [PATCH 1/3] nfs-utils: Hash only on IP address and Program number Steve Dickson
2009-01-23 18:11 ` [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules Steve Dickson
[not found] ` <497A0862.40008-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-01-23 18:34 ` Chuck Lever
2009-01-23 18:37 ` Steve Dickson
2009-01-23 18:13 ` [PATCH 3/3] nfs-utils: Adding the --insecure flag to mountd and statd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=497A056E.1030606@RedHat.com \
--to=steved@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox