Subject: localhost security hole
To: NetBSD security list <firstname.lastname@example.org>
From: William Allen Simpson <email@example.com>
Date: 06/28/2003 09:11:24
Having proved beyond all shadow of a doubt that sending mail to
root@localhost leaves a security leak a mile wide, what should be done?
The zone administrator (or DNS spoofer) can redirect all root mail, by
adding a zone entry "localhost.dom.ain." that points to some other
place than 127.0.0.1. Is this considered a feature?
I proposed PR install/21999, to modify the /etc/hosts file to include
"localhost.dom.ain", right next to the "host.dom.ain host" line.
So far, most commentators oppose this change.
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32