Re: bin/59493: Add insecure option to lpd

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,perseant%nbdev.hhhh.org@localhost
Subject: Re: bin/59493: Add insecure option to lpd
From: "Michael van Elst via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Mon, 30 Jun 2025 06:30:02 +0000 (UTC)

The following reply was made to PR bin/59493; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/59493: Add insecure option to lpd
Date: Mon, 30 Jun 2025 06:24:25 -0000 (UTC)

 perseant%nbdev.hhhh.org@localhost writes:

 >	lpd(8) provides network access control using hosts_access(5) and
 >	requires reverse DNS to serve requests from the network.  In a modern
 >	setting, host access is generally provided via host firewall, and
 >	in a small network setting, anonymous clients are common.  The patch
 >	below provides a flag, -i, that disables the network security checks
 >	for cases where they do not make sense (e.g. home network, or
 >	a host that already uses npf(7) for access control).

 While I agree that allowing clients without DNS entry is necessary,
 I don't like this "ignore everything" setting. In particular, it
 bypasses tcp wrappers and the port check silently.

 An option to only skip the hosts.lpd check is better. Enhancing
 the check to also handle IP addresses and subnets (then you could
 enable your subnet or even 0/0) is another.

Prev by Date: bin/59495: umount -v is too verbose; should need -vv (as mount)
Next by Date: port-amd64/59496: netbsd-10 assert_sleepable panic on i9
Previous by Thread: bin/59493: Add insecure option to lpd
Next by Thread: Re: bin/59493: Add insecure option to lpd
Indexes:

Home | Main Index | Thread Index | Old Index