[Bug 1455061] Re: White-listing IP-numbers or networks doesn't work
Hi Jonas-- Thanks for the report. If I recall correctly, allow_missing_dns no overrides allow entires (despite the passed through with no checks in the man page, I probably miswrote there) -- the DNS check comes first. I'll take a look and at very least update the documentation, but I do think it makes sense to let allow skip the DNS checks if it's numeric. In the meantime, try allow_missing_dns yes and allow_missing_reverse yes if you feel comfortable with the security/attribution implications. Note that the chance of upstream changes showing up in Ubuntu is quite low; I finally orphaned the package in Debian since it would take months and, sometimes, years to get a sponsor for the upload. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1455061 Title: White-listing IP-numbers or networks doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-shield/+bug/1455061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1455061] Re: White-listing IP-numbers or networks doesn't work
I have allow_missing_dns and allow_missing_reverse set to yes
already. I also have block all-users set.
After digging through the source code a bit, I tracked it down to the
function match_ipv4_list in pam_shield_lib.c and the for loop that
loops over the octets in the ip and mask. GCC seems to do some somewhat
dodgy optimization of that loop, if you comment out the break
statement on line 124 you will get the following warning...
pam_shield_lib.c:126:23: warning: iteration 1u invokes undefined behavior
[-Waggressive-loop-optimizations]
if (( ip-ip.any[i] ip-mask.any[i]) != (saddr[i] ip-mask.any[i])) {
^
pam_shield_lib.c:125:5: note: containing loop
for(i = 0; i sizeof(ip-ip.in.s_addr); i++) {
^
I found two ways to make the loop behave. Either you declare i volatile
or turn off optimization on that section of the code.
And don't forget about match_ipv6_list, you probably have the same
problem there too.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1455061
Title:
White-listing IP-numbers or networks doesn't work
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-shield/+bug/1455061/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1455061] Re: White-listing IP-numbers or networks doesn't work
Thanks Jonas! I've entered this in my github and I should have a chance to address it this weekend. Let me know if you'd like to be credited as other than your full name here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1455061 Title: White-listing IP-numbers or networks doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-shield/+bug/1455061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
