From owner-cvs-all Thu Jan 24 16:37:45 2002 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id BD9DE37B404; Thu, 24 Jan 2002 16:37:37 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0P0bYJ89221; Fri, 25 Jan 2002 03:37:35 +0300 (MSK) (envelope-from ache) Date: Fri, 25 Jan 2002 03:37:31 +0300 From: "Andrey A. Chernov" To: Robert Watson Cc: Dag-Erling Smorgrav , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c Message-ID: <20020125003730.GB89126@nagual.pp.ru> References: <20020124212631.GA86757@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jan 24, 2002 at 19:29:46 -0500, Robert Watson wrote: > > You want to be very careful to avoid potential vulnerability to access > control or denial of service issues here. Don't trust DNS strings to be Not me, but OPIE developers :-) > "safe". For example, are there any potential negative effects if I break > into your upstream nameserver (at an ISP, say), and cause localhost to > resolve to my address, and likewise reverse lookup? Does opieaccess() > actually convert localhost to 127.0.0.1, or does it rely on the resolver > library? Will localhost actually resolve to 127.0.0.1, or might it > resolve purely to ::1 on an IPv6-only system? OPIE relies on resolver. Since localhost is always in /etc/hosts, you can't mimic it using upstream name server. OPIE currently not support IPv6, but I remember I see patch recently planned to be commited to fix this. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message