Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20090415160835.53d31fcd@redhat.com>
Date: Wed, 15 Apr 2009 16:08:35 +0200
From: Tomas Hoger <thoger@...hat.com>
To: wietse@...cupine.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Some fun with tcp_wrappers

Hi Wietse!

On Wed, 15 Apr 2009 08:07:42 -0400 (EDT) wietse@...cupine.org (Wietse
Venema) wrote:

> >   https://bugzilla.redhat.com/show_bug.cgi?id=491095
> 
> If some applications mis-use the library API then that is really
> unfortunate.

The problem is not really limited to the applications that mis-use
API.  According to hosts_access(3):

  hosts_ctl() is a wrapper around the request_init() and
  hosts_access() routines with a perhaps more convenient interface
  (though it does not pass on enough information to support automated
  client username lookups).  The client host address, client host
  name and username arguments should contain valid data or
  STRING_UNKNOWN.  hosts_ctl() returns zero if access should be denied.

STRING_UNKNOWN is valid argument expected to be passed to hosts_ctl.
That description does not seem to be too clear to indicate that when
one uses hosts_ctl as:

  hosts_ctl(svcname, STRING_UNKNOWN, client_addr, STRING_UNKNOWN)

all hostname-based rules are ignored.  It seems those using hosts_ctl
do not always realize that.

> Changing the library to work around application bugs is a BAD idea.
> It helps only one platform and complicates cross-platform software
> that does play by the rules.

It's hard to disagree with that.  Though we seem to have failed on this
some time ago alread.  The change was done as bugfix nearly two years
ago in Fedora / Red Hat Enterprise Linux 5 (after some discussion
whether this is application or tcp_wrappers bug), we're now only
introducing the change to products that are not too relevant for future
applications development (all released 4+ years ago).

> I would recommend fixing applications that mis-use the library API.
> To encourage application developers, the library could log a warning
> and return a DENY result for improper calls such as a zero-length
> hostname or address argument.

Is STRING_UNKNOWN as hostname a mis-use of API?  Are all applications
not wanting to do DNS resolution when not needed expected to switch to
request_init / hosts_access instead?  Is there any use cases where
ignoring hostname based rules when STRING_UNKNOWN is passed as hostname
argument to hosts_ctl is more desired than tcp_wrappers performing
resolution when needed?

Denying zero-length hostname/address sounds like a library workaround
too, with no obvious benefits for those doing such change.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.