Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Aug 2011 12:49:43 -0500
From: "JimF" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: Re: #include "john.conf2" (a wish list item)

From: "Solar Designer" <solar@...nwall.com>
>
> I think JimF's code is fine for jumbo (although I am relying on what was
> said in here; I haven't tried the feature out yet), but just to provide
> inspiration for possible enhancements (if we ever choose to implement
> those), here are two other pieces of code with detection of infinite
> recursion (loop).
>

It is likely that we will have to add some form of name storage, checking 
for the rules including rules code.  So, if that is the case, it would be 
pretty easy to do the same thing for the .conf file including.

NOTE, there is no need at all to implement this with super cool bells / 
whistles, or worry at all about it being made optimal.  It is only done one 
time, at startup, so a very simplistic but rock solid method would be more 
than adequate.  I think simply dropping names on a list, likely a static 
global to the config.c, and then check the list. If the name is already on 
the list, then skip that line, just like a comment.

now, what is put ON the list does matter.  So for the .conf's, I think we 
need full path.  For the rules, I am not sure we have information on if they 
came from one .conf file, or another, so I think the name itself is all we 
can look up.

One additional step I feel we need to do for rules, is to have a trivial 
rule elimination step, done after the rule is totally loaded.  In this step, 
take the first rule, and search all lines of the rules for exactly the same 
line.  If we find it, we remove any later instances.  Then we take the next 
line, etc, etc.  When done, we have all rules that are not 'exactly' the 
same removed.  NOTE, there certainly can be identical rules still left, if 
there are thing in different order, or have something different.    Az"abc" 
and $[a]$[b]$[c] and Az'abc' and $a$b$c (and many more) are exactly the 
same, but putting in logic smart enough to detect this, may be way beyond 
what we can easily do.  However, if a rule include 6 rules, and each of them 
had Az"abc", then we can easily remove the last 5 of them.

Jim. 

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ