Date: Fri, 25 Jan 2002 03:37:31 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Robert Watson <rwatson@FreeBSD.org> Cc: Dag-Erling Smorgrav <des@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c Message-ID: <20020125003730.GB89126@nagual.pp.ru> In-Reply-To: <Pine.NEB.3.96L.1020124192635.67438C-100000@fledge.watson.org> References: <20020124212631.GA86757@nagual.pp.ru> <Pine.NEB.3.96L.1020124192635.67438C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 24, 2002 at 19:29:46 -0500, Robert Watson wrote: > > You want to be very careful to avoid potential vulnerability to access > control or denial of service issues here. Don't trust DNS strings to be Not me, but OPIE developers :-) > "safe". For example, are there any potential negative effects if I break > into your upstream nameserver (at an ISP, say), and cause localhost to > resolve to my address, and likewise reverse lookup? Does opieaccess() > actually convert localhost to 127.0.0.1, or does it rely on the resolver > library? Will localhost actually resolve to 127.0.0.1, or might it > resolve purely to ::1 on an IPv6-only system? OPIE relies on resolver. Since localhost is always in /etc/hosts, you can't mimic it using upstream name server. OPIE currently not support IPv6, but I remember I see patch recently planned to be commited to fix this. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125003730.GB89126>