Subject: localhost security hole
To: NetBSD security list <>
From: William Allen Simpson <>
List: tech-security
Date: 06/28/2003 09:11:24
Having proved beyond all shadow of a doubt that sending mail to 
root@localhost leaves a security leak a mile wide, what should be done?

The zone administrator (or DNS spoofer) can redirect all root mail, by 
adding a zone entry "localhost.dom.ain." that points to some other 
place than  Is this considered a feature?

I proposed PR install/21999, to modify the /etc/hosts file to include 
"localhost.dom.ain", right next to the "host.dom.ain host" line.

So far, most commentators oppose this change.

William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32