From owner-freebsd-current@FreeBSD.ORG Wed Jun 21 08:49:49 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7E9416A474; Wed, 21 Jun 2006 08:49:49 +0000 (UTC) (envelope-from tarc@tarc.po.cs.msu.su) Received: from tarc.po.cs.msu.su (tarc.po.cs.msu.su [158.250.16.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D85743D49; Wed, 21 Jun 2006 08:49:48 +0000 (GMT) (envelope-from tarc@tarc.po.cs.msu.su) Received: from tarc.po.cs.msu.su (localhost [127.0.0.1]) by tarc.po.cs.msu.su (8.13.4/8.13.4) with ESMTP id k5L8rpJo086721; Wed, 21 Jun 2006 12:53:51 +0400 (MSD) (envelope-from tarc@tarc.po.cs.msu.su) Received: (from tarc@localhost) by tarc.po.cs.msu.su (8.13.4/8.13.4/Submit) id k5L8rp6a086719; Wed, 21 Jun 2006 12:53:51 +0400 (MSD) (envelope-from tarc) Date: Wed, 21 Jun 2006 12:53:46 +0400 From: Tarc To: Maxime Henrion Message-ID: <20060621085346.GN65044@tarc.po.cs.msu.su> References: <4498DF20.8020803@rogers.com> <1150870137.78122.14.camel@spirit> <20060621082734.Q24109@beagle.kn.op.dlr.de> <20060621063816.GA32889@what-creek.com> <20060621000250.A6468@xorpc.icir.org> <20060621070739.GB35132@what-creek.com> <20060621002036.A6576@xorpc.icir.org> <20060621073123.GA35319@what-creek.com> <20060621100759.2371115a@marcin> <20060621083221.GL8070@elvis.mu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20060621083221.GL8070@elvis.mu.org> User-Agent: mutt-ng/devel-r581 (FreeBSD) Cc: Marcin Jessa , freebsd-current@freebsd.org Subject: Re: ~/.hosts patch X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 08:49:49 -0000 On Wed, Jun 21, 2006 at 10:32:21AM +0200, Maxime Henrion wrote: > Marcin Jessa wrote: > > On Wed, 21 Jun 2006 07:31:23 +0000 > > John Birrell wrote: > > > > > On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote: > > > > On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote: > > > > > The fact that a lot of innocent (naive) people don't use https > > > > > and certificates?! > > > > > > > > and so they would happily click on > > > > > > > > Secure Link to > > > > Your Bank > > > > > > > > so we are not opening much in terms of security holes... > > > > > > You are making it worse because you open a new security hole: > > > > > > www.paypal.com > > > > > > does not take them to the _REAL_ www.paypal.com. > > > > > > This is not an issue about phishing where: > > > > > > www.paypal.com > > > > > > makes it look like the link takes them to PayPal when it really > > > doesn't. > > > > > > Most banks still don't use certificates even though they use HTTP. > > > > > > We need to retain the integrity of a DNS lookup. If there are any work > > > arounds required for poor DNS lookups, then let an administrator > > > configure them! > > > > Just add a global switch to enable/disable using of the ~/.hosts file > > to i.e /etc/login.conf. > > I personally find this feature very handy, especially on a desktop > > with restricted access to the system. > > Better yet; the original author is currently working on making this a > separate nss module. It can then be enabled/disabled at will through > the nsswitch.conf file. > > I can understand the security concerns people have expressed in this > thread, but once this functionality is available as a nss module they > don't hold anymore. As far as I can see, noone intends to have this > enabled by default, and it's not even clear it should be in the base. > Having a nss_userfiles port or whatever is probably enough. > > Cheers, > Maxime Yes, but the global capability must be there. Or you can say, how enable this ability (if it'll be nss port) only for several users/groups ?!! -- Best regards, Arseny Nasokin