On Sun, Sep 08, 2002 at 04:21:02PM -0500, Steve Langasek wrote: > After a bit of research, I've uncovered the new 'hostname lookups' option > in Samba HEAD. I understand the value of being able to configure this > setting, and of having it default to 'no' to conserve resources; however, > this setting also (unnecessarily, IMHO) breaks the config of anyone using > hostname-based access lists on upgrade.
> Would it be acceptable to add a 'hostname lookups = auto' option as the > default, which checks the 'hosts allow' and 'hosts deny' lists for > hostname tokens, and makes its decision based on these other two config > options? Having hostname lookups unexpectedly turned off can not only > block access from legitimate users, it can also be a security hole. Discussing this some on IRC, it seems it may be better to decouple hosts allow/deny from 'hostname lookups' altogether, since an 'auto' value would cause the value of the %M macro to change depending on the contents of 'hosts allow' and 'hosts deny'. Attached is a patch which adds a 'force_lookup' option to the get_socket_name() function, permitting lib/access.c:check_access() to always retrieve the real hostname if needed. Steve Langasek postmodern programmer
Index: lib/access.c
===================================================================
RCS file: /cvsroot/samba/source/lib/access.c,v
retrieving revision 1.33
diff -u -w -r1.33 access.c
--- lib/access.c 14 Jun 2002 02:06:58 -0000 1.33
+++ lib/access.c 8 Sep 2002 23:39:15 -0000
@@ -316,20 +316,20 @@
else
{
DEBUG (3, ("check_access: hostnames in host allow/deny
list.\n"));
- ret = allow_access(deny_list,allow_list, get_socket_name(sock),
+ ret = allow_access(deny_list,allow_list,
+get_socket_name(sock,True),
get_socket_addr(sock));
}
if (ret)
{
DEBUG(2,("Allowed connection from %s (%s)\n",
- only_ip ? "" : get_socket_name(sock),
+ only_ip ? "" : get_socket_name(sock,True),
get_socket_addr(sock)));
}
else
{
DEBUG(0,("Denied connection from %s (%s)\n",
- only_ip ? "" : get_socket_name(sock),
+ only_ip ? "" : get_socket_name(sock,True),
get_socket_addr(sock)));
}
}
Index: lib/util_sock.c
===================================================================
RCS file: /cvsroot/samba/source/lib/util_sock.c,v
retrieving revision 1.66
diff -u -w -r1.66 util_sock.c
--- lib/util_sock.c 8 Jul 2002 02:14:57 -0000 1.66
+++ lib/util_sock.c 8 Sep 2002 23:39:15 -0000
@@ -832,7 +832,7 @@
char *client_name(void)
{
- return get_socket_name(client_fd);
+ return get_socket_name(client_fd,False);
}
char *client_addr(void)
@@ -890,7 +890,7 @@
/*******************************************************************
return the DNS name of the remote end of a socket
******************************************************************/
-char *get_socket_name(int fd)
+char *get_socket_name(int fd, BOOL force_lookup)
{
static pstring name_buf;
static fstring addr_buf;
@@ -902,7 +902,7 @@
situations won't work because many networks don't link dhcp
with dns. To avoid the delay we avoid the lookup if
possible */
- if (!lp_hostname_lookups()) {
+ if (!lp_hostname_lookups() && (force_lookup == False)) {
return get_socket_addr(fd);
}
Index: web/cgi.c
===================================================================
RCS file: /cvsroot/samba/source/web/cgi.c,v
retrieving revision 1.59
diff -u -w -r1.59 cgi.c
--- web/cgi.c 25 Jun 2002 02:29:09 -0000 1.59
+++ web/cgi.c 8 Sep 2002 23:39:16 -0000
@@ -636,7 +636,7 @@
char *cgi_remote_host(void)
{
if (inetd_server) {
- return get_socket_name(1);
+ return get_socket_name(1,False);
}
return getenv("REMOTE_HOST");
}
msg02957/pgp00000.pgp
Description: PGP signature
