From owner-cvs-all  Thu Jan 24 16:30: 7 2002
Delivered-To: cvs-all@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8878437B404; Thu, 24 Jan 2002 16:30:00 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0P0TkD67776;
	Thu, 24 Jan 2002 19:29:47 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 24 Jan 2002 19:29:46 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Dag-Erling Smorgrav <des@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c
In-Reply-To: <20020124212631.GA86757@nagual.pp.ru>
Message-ID: <Pine.NEB.3.96L.1020124192635.67438C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Fri, 25 Jan 2002, Andrey A. Chernov wrote:

> On Thu, Jan 24, 2002 at 08:18:43 -0800, Dag-Erling Smorgrav wrote:
> > des         2002/01/24 08:18:43 PST
> > 
> >   Modified files:
> >     lib/libpam/modules/pam_opieaccess pam_opieaccess.c 
> >   Log:
> >   Correctly interpret PAM_RHOST being unset as an indicator of a local
> >   login.
> 
> 
>  if ((rhost == NULL || opieaccessfile(rhost))
> 
> This is not the way OPIE auth suppose. I.e. in non-PAM variant you may
> don't add local host to /etc/opieaccess file, but with this change you
> can't, it always there. IMHO proper way will be:
> 
> if (rhost == NULL)
> 	rhost = "localhost";
> 
> opieaccess() automatically converts "localhost" to "127.0.0.1" and search 
> it in /etc/opieaccess.

You want to be very careful to avoid potential vulnerability to access
control or denial of service issues here.  Don't trust DNS strings to be
"safe".  For example, are there any potential negative effects if I break
into your upstream nameserver (at an ISP, say), and cause localhost to
resolve to my address, and likewise reverse lookup?  Does opieaccess()
actually convert localhost to 127.0.0.1, or does it rely on the resolver
library?  Will localhost actually resolve to 127.0.0.1, or might it
resolve purely to ::1 on an IPv6-only system?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message