Re: CVS commit: src/usr.sbin/ypserv/ypserv

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: CVS commit: src/usr.sbin/ypserv/ypserv
From: Chuck Cranor <chuck%ece.cmu.edu@localhost>
Date: Sat, 17 May 2008 15:28:16 -0400

On Fri, May 16, 2008 at 09:20:54PM +0200, Manuel Bouyer wrote:
> On Fri, May 16, 2008 at 04:41:42PM +0000, Chuck Cranor wrote:
> > Disable hostname lookup for ypserv(8) libwrap access control,
> thanks ! But what about making this optionnal, using a command-line
> flag ?

i think it is a major DoS hazard to allow the single-threaded ypserv(8)
process to make blocking DNS calls via getnameinfo(3) [see 
src/lib/libwrap/socket.c, function sock_hostname()].  DNS timeouts
can be quite long (many seconds) and while ypserv(8) is waiting for
a reply everything else basically _stops_ too.  we had a real problem
with random login/sshd timeout failures due to this.

i am also concerned that if you configure nsswitch to use ypserv(8) 
for hosts, you are likely to risk creating an infinite loop with 
ypserv(8)'s libwrap making host calls back to ypserv(8) itself.

it would be easy enough to add a switch for this, but i had trouble
thinking of a case where you'd want to have both libwrap access control
and be willing to risk the DoS issues associated with allowing anyone
on the network to block your ypserv(8) process...?

chuck

Follow-Ups:
- Re: CVS commit: src/usr.sbin/ypserv/ypserv
  - From: Manuel Bouyer

References:
- CVS commit: src/usr.sbin/ypserv/ypserv
  - From: Chuck Cranor
- Re: CVS commit: src/usr.sbin/ypserv/ypserv
  - From: Manuel Bouyer

Prev by Date: CVS commit: src/sys/arch/sparc/dev
Next by Date: CVS commit: src/doc
Previous by Thread: Re: CVS commit: src/usr.sbin/ypserv/ypserv
Next by Thread: Re: CVS commit: src/usr.sbin/ypserv/ypserv
Indexes:

Home | Main Index | Thread Index | Old Index