martin f krafft wrote: > I found the following relating to the 'fqdn' option in sudoers(5): > > This option is only effective when the “canonical” host name, as > returned by the getaddrinfo() or gethostbyname() function, is > a fully-qualified domain name. This is usually the case when the > system is configured to use DNS for host name resolution.
Many programs were written expecting that gethostbyname() returns the FQDN. That is very much the way BSD machines were typically deployed. I always used to run all of my systems with the fully qualified name set as the system hostname. For the simple case where a server has exactly one IP address this works well. But that assumption / strategy causes problems when a system has multiple IP addresses. In that case that type of strategy says that the machine has multiple canonical names and that can't be simultaneously true. But Postfix is not happy by default if the short hostname is returned from gethostbyname(). In which case one should set the postfix myhostname variable to the fully qualified domain name. Similar issues exist with Apache. I think sudo may be in a similar mode. And may be trying to use reverse dns queries to generate a fqdn. > If the system is configured to use the /etc/hosts file in > preference to DNS, the “canonical” host name may not be > fully-qualified. > > What does this mean? And if so, why must it not be fully-qualified? I do not read the "name may not be" as a directive. I read that in the uncertain form of "may not" as in "might not". "the canonical host name might not be fully qualified." I believe that is the intention. Let me rephrase that into the way that I think the author intended but didn't say. But note that this is just my thoughts on it. If the system is configured to use the /etc/hosts file in preference to DNS, the “canonical” host name will be the name configured in the /etc/hosts file. It might not be fully qualified if the name listed as canonical in /etc/hosts is not fully qualified. It depends upon the contents of that file. One of the uses of "may" in conversation is as an uncertain value. "It may. It may not. Not knowing cannot say for certain." > The manpage continues: > > In the /etc/hosts file, the first host name of the entry is > considered to be the “canonical” name; subsequent names are > aliases that are not used by sudoers. For example, the following > hosts file line for the machine “xyzzy” has the fully-qualified > domain name as the “canonical” host name, and the short version > as an alias. > > 192.168.1.1 xyzzy.sudo.ws xyzzy > > Right, this is what I have… > > If the machine's hosts file entry is not formatted properly, the > fqdn option will not be effective if it is queried before DNS. > > So is this properly formatted? Yes. That is properly formatted. The canonical fqdn is first. Aliases one or more if present will appear after on the line. On Debian systems by default the 127.0.1.1 address is configured. But other strategies such as using a public non-hotplugged IP are also valid possibilities. 127.0.1.1 foo.example.com foo For clarification would you please run these commands and report the result on your system? hostname hostname --fqdn grep $(hostname) /etc/hosts grep hosts /etc/nsswitch.conf getent hosts fishbowl getent hosts fishbowl.rw.madduck.net And then whatever it returns for an address do the same there again once more please. I think yours will say 127.0.1.1. (Which is perfectly normal.) getent hosts 127.0.1.1 dpkg -l libnss-myhostname # is libnss-myhostname installed? Thanks, Bob
signature.asc
Description: Digital signature
