Subject: Re: localhost security hole
To: Alan Barrett <apb@cequrux.com>
From: Robert Elz <kre@munnari.OZ.AU>
List: current-users
Date: 06/28/2003 21:35:55
    Date:        Sat, 28 Jun 2003 16:18:46 +0200
    From:        Alan Barrett <apb@cequrux.com>
    Message-ID:  <20030628141846.GT3711@apb.cequrux.com>

  | I can confirm that this flaw exists, and I think it's a bug in sendmail,
  | or sendmail's default configuration on NetBSD.

No, it is neither.

  | Applications like ping, telnet and ssh do not exhibit the problem.

That's because they use getaddrinfo() (or gethostbyname()).   And they do
exhibit the problem if your nsswitch.conf is sane (does DNS lookups only,
or at least, DNS lookups before using /etc/hosts or other methods).
Preferring /etc/hosts is just a recipe for disaster in general.

  | The default sendmail.cf tries to handle "localhost" as a special case.

I suspect you're misreading that.

  | We should also check whether postfix has a similar problem.

It should, as it should also be looking for MX records, and that means
doing DNS queries, not hosts file lookups.   The normal recolver config
on NetBSD appends the local domain to any name that has not dots (which
is exactly what it should do, we don't want the root servers deluged with
queries every time someone does "ping foo", we want it to assume that
means foo.local.domain. first, and only fall back on "foo." if that fails,
there are even good arguments for never falling back on "foo." if the
name being queried has no dots in it at all - if you mean "foo." you
can say "foo." - that's so rare as to be a very unusual case).

Of course, "foo" == "localhost" shouldn't be treated as any kind of
special case.

And this is also why sticking "localhost.domain. IN A 127.0.0.1" in
all (relevant) forward zone files is still a *very* good idea (having
"localhost." is useful as well, to save the root servers, though in
practice it should rarely ever get used).

kre