103 lines
3.2 KiB
Diff
103 lines
3.2 KiB
Diff
|
From c93e8d8eeafec3e3228e24dfebef113e0a79a788 Mon Sep 17 00:00:00 2001
|
||
|
From: "Signed-off-by: NeilBrown" <neilb@suse.de>
|
||
|
Date: Tue, 28 May 2013 12:59:22 -0400
|
||
|
Subject: [PATCH] gssd: Fix recent fix to Avoid DNS reverse resolution in gssd.
|
||
|
|
||
|
The final version for this fix that was committed inverted the test
|
||
|
so makes no change in the important cases.
|
||
|
|
||
|
The documentation didn't really help a naive user know when the new -D
|
||
|
flag should be used.
|
||
|
|
||
|
And the code (once fixed) avoided DNS resolution on non-qualified names too,
|
||
|
which probably isn't a good idea.
|
||
|
|
||
|
This patch fixes all three issues.
|
||
|
|
||
|
Signed-off-by: NeilBrown <neilb@suse.de>
|
||
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
||
|
---
|
||
|
utils/gssd/gssd.man | 27 ++++++++++++++++++++++-----
|
||
|
utils/gssd/gssd_proc.c | 18 ++++++++++--------
|
||
|
2 files changed, 32 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
|
||
|
index 1df75c5..ac13fd4 100644
|
||
|
--- a/utils/gssd/gssd.man
|
||
|
+++ b/utils/gssd/gssd.man
|
||
|
@@ -195,11 +195,28 @@ option when starting
|
||
|
.BR rpc.gssd .
|
||
|
.SH OPTIONS
|
||
|
.TP
|
||
|
-.B -D
|
||
|
-DNS Reverse lookups are not used for determining the
|
||
|
-server names pass to GSSAPI. This option will reverses that and forces
|
||
|
-the use of DNS Reverse resolution of the server's IP address to
|
||
|
-retrieve the server name to use in GSAPI authentication.
|
||
|
+.B \-D
|
||
|
+The server name passed to GSSAPI for authentication is normally the
|
||
|
+name exactly as requested. e.g. for NFS
|
||
|
+it is the server name in the "servername:/path" mount request. Only if this
|
||
|
+servername appears to be an IP address (IPv4 or IPv6) or an
|
||
|
+unqualified name (no dots) will a reverse DNS lookup
|
||
|
+will be performed to get the canoncial server name.
|
||
|
+
|
||
|
+If
|
||
|
+.B \-D
|
||
|
+is present, a reverse DNS lookup will
|
||
|
+.I always
|
||
|
+be used, even if the server name looks like a canonical name. So it
|
||
|
+is needed if partially qualified, or non canonical names are regularly
|
||
|
+used.
|
||
|
+
|
||
|
+Using
|
||
|
+.B \-D
|
||
|
+can introduce a security vulnerability, so it is recommended that
|
||
|
+.B \-D
|
||
|
+not be used, and that canonical names always be used when requesting
|
||
|
+services.
|
||
|
.TP
|
||
|
.B -f
|
||
|
Runs
|
||
|
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c
|
||
|
index 6cd4276..b7e2bbb 100644
|
||
|
--- a/utils/gssd/gssd_proc.c
|
||
|
+++ b/utils/gssd/gssd_proc.c
|
||
|
@@ -175,7 +175,6 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
|
||
|
char *hostname;
|
||
|
char hbuf[NI_MAXHOST];
|
||
|
unsigned char buf[sizeof(struct in6_addr)];
|
||
|
- int servername = 0;
|
||
|
|
||
|
if (avoid_dns) {
|
||
|
/*
|
||
|
@@ -183,15 +182,18 @@ get_servername(const char *name, const struct sockaddr *sa, const char *addr)
|
||
|
* If it is an IP address, do the DNS lookup otherwise
|
||
|
* skip the DNS lookup.
|
||
|
*/
|
||
|
- servername = 0;
|
||
|
- if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1)
|
||
|
- servername = 1; /* IPv4 */
|
||
|
- else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1)
|
||
|
- servername = 1; /* or IPv6 */
|
||
|
-
|
||
|
- if (servername) {
|
||
|
+ int is_fqdn = 1;
|
||
|
+ if (strchr(name, '.') == NULL)
|
||
|
+ is_fqdn = 0; /* local name */
|
||
|
+ else if (inet_pton(AF_INET, name, buf) == 1)
|
||
|
+ is_fqdn = 0; /* IPv4 address */
|
||
|
+ else if (inet_pton(AF_INET6, name, buf) == 1)
|
||
|
+ is_fqdn = 0; /* IPv6 addrss */
|
||
|
+
|
||
|
+ if (is_fqdn) {
|
||
|
return strdup(name);
|
||
|
}
|
||
|
+ /* Sorry, cannot avoid dns after all */
|
||
|
}
|
||
|
|
||
|
switch (sa->sa_family) {
|
||
|
--
|
||
|
1.8.3.1.487.g3e7a5b4
|
||
|
|