Subject: Re: localhost security hole
To: Alan Barrett <>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-security
Date: 06/28/2003 22:31:17
    Date:        Sat, 28 Jun 2003 17:15:24 +0200
    From:        Alan Barrett <>
    Message-ID:  <>

  | NetBSD's default nsswitch.conf has "hosts: file dns".

Yes, I know.

  | I am looking at the top of ruleset "SCanonify2=96".  It's clearly
  | a special case for localhost, and it seems to be trying to rewrite
  | ${user}@localhost to ${user}@${hostname}.

Ah, OK, I think the issue here though is that the mail wasn't (isn't)
being sent to "root@localhost" it is being sent to "root".

smmsp is then attempting to connect to localhost to deliver the mail.

Because sending unqualified user names over SMTP connections is a no-no,
some kind of domain name needs to be appended.

  | Usually, I'd agree.  However, a system that is configured to treat
  | unqualified host names as errors should probably have an exception for
  | "localhost", which is actually a fully qualified domain name even though
  | it doesn't contain any dots.

Well, it isn't really, there's no CTLD or ccTLD called "localhost".
Technically (if treated as "localhost." it is an invalid (or bogus)
domain name).   On the other hand, localhost.domain is (or can be)
perfectly fine of course.

  | I have managed just fine for many years with "localhost. A",
  | " PTR localhost.", and no mention of
  | localhost.${domain} anywhere.

This works only if you can ensure that you have those RRs installed
in every system that can possibly be a DNS cache.   That includes
systems where some random user just says "I think I'll run a DNS cache
on my system, speed up accesses".   On the other hand, localhost.domain
works from anywhere, and requires only that one extra name be placed
in zone files that are already getting names in them.