From owner-freebsd-bugs Tue Jun 22 8:20: 2 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D5FEF15273 for ; Tue, 22 Jun 1999 08:20:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id IAA22162; Tue, 22 Jun 1999 08:20:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 2BDE915171; Tue, 22 Jun 1999 08:19:48 -0700 (PDT) Message-Id: <19990622151948.2BDE915171@hub.freebsd.org> Date: Tue, 22 Jun 1999 08:19:48 -0700 (PDT) From: grandi@noao.edu To: freebsd-gnats-submit@freebsd.org X-Send-Pr-Version: www-1.0 Subject: conf/12342: /etc/hosts.allow must use numerical IP addresses when protecting portmap Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 12342 >Category: conf >Synopsis: /etc/hosts.allow must use numerical IP addresses when protecting portmap >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 22 08:20:00 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Steve Grandi >Release: FreeBSD 3.2-STABLE >Organization: National Optical Astronomy Observatories >Environment: FreeBSD noao.edu 3.2-STABLE FreeBSD 3.2-STABLE #6: Thu Jun 10 12:22:41 MST 1999 grandi@noao.edu:/usr/src/sys/compile/NOAO >Description: In /usr/src/usr.sbin/portmap/pmap_check.c, in a comment at the beginning concerning -DHOSTS_ACCESS, we find: * If compiled with -DHOSTS_ACCESS, reject requests from hosts that are not * authorized by the /etc/hosts.{allow,deny} files. The local system is * always treated as an authorized host. The access control tables are never * consulted for requests from the local system, and are always consulted * for requests from other hosts. Access control is based on IP addresses * only; attempts to map an address to a host name might cause the * portmapper to hang. However, the examples in /etc/hosts.allow use host names when dealing with the portmap. >How-To-Repeat: Try to use a hostname when protecting portmap in /etc/hosts.allow >Fix: --- hosts.allow Tue May 11 02:52:05 1999 +++ hosts.allow.NEW Tue Jun 22 08:17:30 1999 @@ -33,9 +33,11 @@ sendmail : ALL : allow # Portmapper is used for all RPC services; protect your NFS! -portmap : localhost : allow -portmap : .nice.guy.example.com : allow -portmap : .evil.cracker.example.com : deny +# NOTE: numercial IP addresses must be used for portmap. +# furthermore, local machine acceses are not checked against hosts.allow +#portmap : 123.231.132/255.255.255.0 : allow +#portmap : 123.222. : allow +#portmap : 111.222.111.222 : deny portmap : ALL : allow # Provide a small amount of protection for ftpd >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message