Date: Wed, 21 Jun 2006 14:08:57 +0800 From: Xin LI <delphij@delphij.net> To: Mike Jakubik <mikej@rogers.com> Cc: Justin Hibbits <jrh29@eecs.cwru.edu>, freebsd-current@freebsd.org Subject: Re: ~/.hosts patch Message-ID: <1150870137.78122.14.camel@spirit> In-Reply-To: <4498DF20.8020803@rogers.com> References: <C41481BC-89F3-457E-9FD0-CB85CE7B93E7@eecs.cwru.edu> <4498D108.90907@rogers.com> <20060621053007.GA3320@odin.ac.hmc.edu> <4498DF20.8020803@rogers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-lQupXpE5UkHZiXpKFtwz Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =E5=9C=A8 2006-06-21=E4=B8=89=E7=9A=84 01:54 -0400=EF=BC=8CMike Jakubik=E5= =86=99=E9=81=93=EF=BC=9A > [snip] > > It's useful for cases where you want to add shortcuts to hosts as a use= r > > or do interesting ssh port forwarding tricks in some weird cases where > > you must connect to localhost:port as remotehost:port due to > > client/server protocol bugs. > > > > This patch appears to only support ~/.hosts for non-suid binaries which > > is the only real security issue. Any admin relying on host to IP > > mapping for security for ordinary users is an idiot so that case isn't > > worth worrying about. Doing this as a separate nss module probably > > makes sense, but I personally like the feature. > > Of course relying on /etc/hosts entries for security alone is indeed not=20 > a good idea, however an Admin may choose to resolve and therefore route=20 > specified hostnames via /etc/hosts. The user should not be able to=20 > overwrite these, if this behavior is true, then it seems like a=20 > reasonable change to me, otherwise it not only seems to be a security=20 > problem, but also a breach of POLA. I think this would be better implemented with a nss module so that the administrator can choose whether to utilize the feature. BTW. I do not see much problem if the feature is not enabled for setuid binaries because if the user already knows some secret (run under his or her own credential), nor can the user trick others to utilize the ~/.hosts if the program is a setuid binary. What's your concern about the "security problem", or could you please point how can we successfully exploit the ~/.hosts to get privilege escalation and/or information disclosure or something else, which could not happen without ~/.hosts? Cheers, --=20 Xin LI <delphij delphij net> http://www.delphij.net/ --=-lQupXpE5UkHZiXpKFtwz Content-Type: application/pgp-signature; name=signature.asc Content-Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEmOJ5hcUczkLqiksRAhOwAJwMfxpz9JQJnyRPORZOUEGM3sTj+ACfWXiY UDsqzSnBYicTZ7ccPpOfd74= =ID6H -----END PGP SIGNATURE----- --=-lQupXpE5UkHZiXpKFtwz--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1150870137.78122.14.camel>