Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Apr 2009 16:08:35 +0200
From: Tomas Hoger <thoger@...hat.com>
To: wietse@...cupine.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Some fun with tcp_wrappers

Hi Wietse!

On Wed, 15 Apr 2009 08:07:42 -0400 (EDT) wietse@...cupine.org (Wietse
Venema) wrote:

> >   https://bugzilla.redhat.com/show_bug.cgi?id=491095
> 
> If some applications mis-use the library API then that is really
> unfortunate.

The problem is not really limited to the applications that mis-use
API.  According to hosts_access(3):

  hosts_ctl() is a wrapper around the request_init() and
  hosts_access() routines with a perhaps more convenient interface
  (though it does not pass on enough information to support automated
  client username lookups).  The client host address, client host
  name and username arguments should contain valid data or
  STRING_UNKNOWN.  hosts_ctl() returns zero if access should be denied.

STRING_UNKNOWN is valid argument expected to be passed to hosts_ctl.
That description does not seem to be too clear to indicate that when
one uses hosts_ctl as:

  hosts_ctl(svcname, STRING_UNKNOWN, client_addr, STRING_UNKNOWN)

all hostname-based rules are ignored.  It seems those using hosts_ctl
do not always realize that.

> Changing the library to work around application bugs is a BAD idea.
> It helps only one platform and complicates cross-platform software
> that does play by the rules.

It's hard to disagree with that.  Though we seem to have failed on this
some time ago alread.  The change was done as bugfix nearly two years
ago in Fedora / Red Hat Enterprise Linux 5 (after some discussion
whether this is application or tcp_wrappers bug), we're now only
introducing the change to products that are not too relevant for future
applications development (all released 4+ years ago).

> I would recommend fixing applications that mis-use the library API.
> To encourage application developers, the library could log a warning
> and return a DENY result for improper calls such as a zero-length
> hostname or address argument.

Is STRING_UNKNOWN as hostname a mis-use of API?  Are all applications
not wanting to do DNS resolution when not needed expected to switch to
request_init / hosts_access instead?  Is there any use cases where
ignoring hostname based rules when STRING_UNKNOWN is passed as hostname
argument to hosts_ctl is more desired than tcp_wrappers performing
resolution when needed?

Denying zero-length hostname/address sounds like a library workaround
too, with no obvious benefits for those doing such change.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.