From owner-freebsd-current@FreeBSD.ORG Fri Jun 23 14:48:20 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49E5C16A494 for ; Fri, 23 Jun 2006 14:48:20 +0000 (UTC) (envelope-from jrh29@eecs.cwru.edu) Received: from eastrmmtao06.cox.net (eastrmmtao06.cox.net [68.230.240.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id E531743D45 for ; Fri, 23 Jun 2006 14:48:18 +0000 (GMT) (envelope-from jrh29@eecs.cwru.edu) Received: from [192.168.1.101] (really [68.98.142.45]) by eastrmmtao06.cox.net (InterMail vM.6.01.06.01 201-2131-130-101-20060113) with ESMTP id <20060623144816.QFCC16402.eastrmmtao06.cox.net@[192.168.1.101]>; Fri, 23 Jun 2006 10:48:16 -0400 In-Reply-To: <4498DF20.8020803@rogers.com> References: <4498D108.90907@rogers.com> <20060621053007.GA3320@odin.ac.hmc.edu> <4498DF20.8020803@rogers.com> Mime-Version: 1.0 (Apple Message framework v750) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Justin Hibbits Date: Fri, 23 Jun 2006 10:48:13 -0400 To: Mike Jakubik X-Mailer: Apple Mail (2.750) X-Mailman-Approved-At: Fri, 23 Jun 2006 14:57:07 +0000 Cc: freebsd-current@freebsd.org Subject: Re: ~/.hosts patch X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2006 14:48:20 -0000 On Jun 21, 2006, at 01:54 , Mike Jakubik wrote: > Brooks Davis wrote: >> On Wed, Jun 21, 2006 at 12:54:32AM -0400, Mike Jakubik wrote: >> >>> Justin Hibbits wrote: >>> >>>> Hey folks, got an interesting patch. This adds a ~/.hosts file >>>> (personal version of /etc/hosts). It was written against 6- >>>> STABLE about a week before 6.1 was released, and has been >>>> sitting collecting dust for the last month and a half. >>>> Currently it augments /etc/hosts instead of replacing it or >>>> prepending it. Any comments? One suggestion that was made was >>>> to make it an nss module so that it could be controlled by the >>>> admin. It probably could use some cleanup as well, just putting >>>> it out here for proof of concept for now, and some direction. >>>> >>> Just what exactly is the point of having a user specified hosts >>> file? Seems like a bad idea to me, in terms of security. >>> >> >> It's useful for cases where you want to add shortcuts to hosts as >> a user >> or do interesting ssh port forwarding tricks in some weird cases >> where >> you must connect to localhost:port as remotehost:port due to >> client/server protocol bugs. >> >> This patch appears to only support ~/.hosts for non-suid binaries >> which >> is the only real security issue. Any admin relying on host to IP >> mapping for security for ordinary users is an idiot so that case >> isn't >> worth worrying about. Doing this as a separate nss module probably >> makes sense, but I personally like the feature. >> > > Of course relying on /etc/hosts entries for security alone is > indeed not a good idea, however an Admin may choose to resolve and > therefore route specified hostnames via /etc/hosts. The user should > not be able to overwrite these, if this behavior is true, then it > seems like a reasonable change to me, otherwise it not only seems > to be a security problem, but also a breach of POLA. > In the next couple weeks, when I get some time, I will make it a NSS module, so that it can be controlled by the admin. - Justin