|
Message-ID: <20090415160835.53d31fcd@redhat.com> Date: Wed, 15 Apr 2009 16:08:35 +0200 From: Tomas Hoger <thoger@...hat.com> To: wietse@...cupine.org Cc: oss-security@...ts.openwall.com Subject: Re: Re: Some fun with tcp_wrappers Hi Wietse! On Wed, 15 Apr 2009 08:07:42 -0400 (EDT) wietse@...cupine.org (Wietse Venema) wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=491095 > > If some applications mis-use the library API then that is really > unfortunate. The problem is not really limited to the applications that mis-use API. According to hosts_access(3): hosts_ctl() is a wrapper around the request_init() and hosts_access() routines with a perhaps more convenient interface (though it does not pass on enough information to support automated client username lookups). The client host address, client host name and username arguments should contain valid data or STRING_UNKNOWN. hosts_ctl() returns zero if access should be denied. STRING_UNKNOWN is valid argument expected to be passed to hosts_ctl. That description does not seem to be too clear to indicate that when one uses hosts_ctl as: hosts_ctl(svcname, STRING_UNKNOWN, client_addr, STRING_UNKNOWN) all hostname-based rules are ignored. It seems those using hosts_ctl do not always realize that. > Changing the library to work around application bugs is a BAD idea. > It helps only one platform and complicates cross-platform software > that does play by the rules. It's hard to disagree with that. Though we seem to have failed on this some time ago alread. The change was done as bugfix nearly two years ago in Fedora / Red Hat Enterprise Linux 5 (after some discussion whether this is application or tcp_wrappers bug), we're now only introducing the change to products that are not too relevant for future applications development (all released 4+ years ago). > I would recommend fixing applications that mis-use the library API. > To encourage application developers, the library could log a warning > and return a DENY result for improper calls such as a zero-length > hostname or address argument. Is STRING_UNKNOWN as hostname a mis-use of API? Are all applications not wanting to do DNS resolution when not needed expected to switch to request_init / hosts_access instead? Is there any use cases where ignoring hostname based rules when STRING_UNKNOWN is passed as hostname argument to hosts_ctl is more desired than tcp_wrappers performing resolution when needed? Denying zero-length hostname/address sounds like a library workaround too, with no obvious benefits for those doing such change. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.