Re: tcpd -DPARANOID doesn't work, and never did

From: Wietse Venema (wietseat_private)
Date: Tue Nov 10 1998 - 13:43:42 PST

Next message: Spartak Radchenko: "Re: WWWBoard Vulnerability"

Previous message: Lincoln Stein: "Re: Several new CGI vulnerabilities"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: D. J. Bernstein: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Wemm:
> rshd and rlogind are safe (as far as I can
> tell) on all systems that are 4.3BSD-net2 (and later) derivatives.  They
> don't need -DPARANOID at all.

Correction: the NET2 rshd/rlogind `paranoid' code is NOT ok.

NET2 code looks up the client name with gethostbyaddr(), checks
the address list from gethostbyname(), and then uses the hostname
result from gethostbyname(), which could be something different.

That's why TCPD demands that the hostname results from gethostbyaddr()
and gethostbyname() be identical, and doesn't even allow PTRs to
CNAMEs.  Without this, it was just too easy to spoof your way in.

Unfortunately, the BSD-style `paranoid' check that ends up using
the wrong hostname has made its way into other programs as well.

        Wietse

Next message: Spartak Radchenko: "Re: WWWBoard Vulnerability"
Previous message: Lincoln Stein: "Re: Several new CGI vulnerabilities"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: D. J. Bernstein: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:42 PDT