Bug 1577265

Summary: nospoof, spoof, and spoofalert were not implemented and apparently removed.
Product: Red Hat Enterprise Linux 7 Reporter: Peter E. <peter.elsner>
Component: man-pages-overridesAssignee: Nikola Forró <nforro>
Status: CLOSED ERRATA QA Contact: Jan Houska <jhouska>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.5CC: bugzilla.redhat.com.dev, djez, don, nforro, peter.elsner, smoroney, vondruch
Target Milestone: rcKeywords: ManPageChange, Patch
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: man-pages-overrides-7.6.1-3.el7 Doc Type: Bug Fix
Doc Text:
Cause: nospoof, spoofalert and spoof options of /etc/host.conf configuration file had been removed completely in RHEL 7.5, but remained documented in host.conf manual page. Consequence: Users having some of the spoof options present in the configuration file might have been confused by the fact that those are being rejected as invalid, while being documented. Fix: The spoof options were removed from the manual page. Result: No invalid options are documented in manual page of host.conf.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:34:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1592876    
Attachments:
Description Flags
host.conf.5: clarify glibc versions in which spoof options were recognized none

Description Peter E. 2018-05-11 14:58:48 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Build Identifier: 

According to the man page for host.conf (5) - http://man7.org/linux/man-pages/man5/host.conf.5.html it states: 

Since glibc 2.0.7, the following keywords and environment variable
       have been recognized but never implemented:

       nospoof
              Valid values are on and off.  If set to on, the resolver
              library will attempt to prevent hostname spoofing to enhance
              the security of rlogin and rsh.  It works as follows: after
              performing a host address lookup, the resolver library will
              perform a hostname lookup for that address.  If the two
              hostnames do not match, the query fails.  The default value is
              off.

       spoofalert
              Valid values are on and off.  If this option is set to on and
              the nospoof option is also set, the resolver library will log
              a warning of the error via the syslog facility.  The default
              value is off.

       spoof  Valid values are off, nowarn, and warn.  If this option is set
              to off, spoofed addresses are permitted and no warnings will
              be emitted via the syslog facility.  If this option is set to
              warn, the resolver library will attempt to prevent hostname
              spoofing to enhance the security and log a warning of the
              error via the syslog facility.  If this option is set to
              nowarn, the resolver library will attempt to prevent hostname
              spoofing to enhance the security but not emit warnings via the
              syslog facility.  Setting this option to anything else is
              equal to setting it to nowarn.

Many users may have added nospoof to their /etc/host.conf file and this was simply ignored up until RHEL 7.4.  But is now reporting an invalid command as of RHEL 7.5.

/etc/host.conf: line 6: bad command `nospoof on'

This can cause a few issues on the server that will only be corrected by commenting out that line (or removing it).  

The man pages should probably be updated to remove those since they are no longer valid.  

Reproducible: Always

Steps to Reproduce:
1. Have a RHEL 7.4 server and add "nospoof on" (sans quotes) to the /etc/host.conf file if it doesn't already exist.
2. update to 7.5 
3. watch that error appear with many of the commands you try to execute. 
Actual Results:  
Saw the error with several commands.

yum update
wget https://someurl etc. 



Expected Results:  
No errors are expected. 

Related reference from the man-pages project change-log

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443

http://man7.org/linux/man-pages/changelog.html (search the page for "host.conf")

It seems that the nospoof command was never fully implemented despite being included in the manpage for /etc/host.conf. It was then entirely removed from the source code, which is now resulting in the errors that we're seeing with it.
https://www.pclinuxos.com/forum/index.php?topic=143487.0

https://bugs.centos.org/view.php?id=14762
Comment 2 Ondrej Vasik 2018-05-14 07:39:14 UTC 
host.conf (5) manpage is part of man-pages package... Reassigning, as none of these is part of default host.conf coming with setup package.
Comment 3 Nikola Forró 2018-05-24 12:26:47 UTC 
Created attachment 1441042 [details]
host.conf.5: clarify glibc versions in which spoof options were recognized
Comment 4 Nikola Forró 2018-05-24 12:29:07 UTC 
Peter, is this change sufficient?
Comment 5 Peter E. 2018-05-25 12:53:24 UTC 
Hello Nikola, 

Yes, that should suffice. 

Thank you.
(In reply to Nikola Forró from comment #4)
> Peter, is this change sufficient?
Comment 13 Jan Houska 2018-08-17 12:48:48 UTC 
VERIFIED

New PASS
man-pages-overrides-7.6.1-3.el7.

In  'man  host.conf'

I agree with Comment 10.  The Description is now consistent. Also close description of the mentioned options is now sane. 

"""
DESCRIPTION
       The  file /etc/host.conf contains configuration information specific to the resolver library.  It should contain one configuration keyword per line, followed by appropriate con‐
       figuration information.  The keywords recognized are trim, multi, and reorder.  These keywords are described below.
       
       
       trim   This keyword may be listed more than once.  Each time it should be followed by a list of domains, separated by colons (':'), semicolons (';') or commas  (','),  with  the
              leading  dot.   When  set, the resolv+ library will automatically trim the given domain name from the end of any hostname resolved via DNS.  This is intended for use with
              local hosts and domains.  (Related note: trim will not affect hostnames gathered via NIS or the hosts file.  Care should be taken to ensure that the  first  hostname  for
              each entry in the hosts file is fully qualified or unqualified, as appropriate for the local installation.)

       multi  Valid values are on and off.  If set to on, the resolv+ library will return all valid addresses for a host that appears in the /etc/hosts file, instead of only the first.
              This is on by default.  On systems with DNS, hosts files are much smaller and the performance loss of multiple search is negligible. On  sites  with  large  hosts  files,
              turning it on may cause a substantial performance loss.

       reorder
              Valid  values  are  on  and  off.  If set to on, resolv+ will attempt to reorder host addresses so that local addresses (i.e., on the same subnet) are listed first when a
              gethostbyname(3) is performed.  Reordering is done for all lookup methods.  The default value is off.
       
""""

...

"""

OLD Fail:
man-pages-overrides-7.5.2-1.el7

"""
DESCRIPTION
       The  file /etc/host.conf contains configuration information specific to the resolver library.  It should contain one configuration keyword per line, followed by appropriate con‐
       figuration information.  The keywords recognized are trim, multi, nospoof, spoof, and reorder.  These keywords are described below.

       trim   This keyword may be listed more than once.  Each time it should be followed by a list of domains, separated by colons (':'), semicolons (';') or commas  (','),  with  the
              leading  dot.   When  set, the resolv+ library will automatically trim the given domain name from the end of any hostname resolved via DNS.  This is intended for use with
              local hosts and domains.  (Related note: trim will not affect hostnames gathered via NIS or the hosts file.  Care should be taken to ensure that the  first  hostname  for
              each entry in the hosts file is fully qualified or unqualified, as appropriate for the local installation.)

       multi  Valid values are on and off.  If set to on, the resolv+ library will return all valid addresses for a host that appears in the /etc/hosts file, instead of only the first.
              This is on by default.  On systems with DNS, hosts files are much smaller and the performance loss of multiple search is negligible. On  sites  with  large  hosts  files,
              turning it on may cause a substantial performance loss.

       nospoof
              Valid values are on and off.  If set to on, the resolv+ library will attempt to prevent hostname spoofing to enhance the security of rlogin and rsh.  It works as follows:
              after performing a host address lookup, resolv+ will perform a hostname lookup for that address.  If the two hostnames do not match, the query  will  fail.   The  default
              value is off.

       spoofalert
              Valid  values  are  on  and  off.   If  this option is set to on and the nospoof option is also set, resolv+ will log a warning of the error via the syslog facility.  The
              default value is off.

       spoof  Valid values are off, nowarn and warn.  If this option is set to off, spoofed addresses are permitted and no warnings will be emitted via the syslog  facility.   If  this
              option  is  set to warn, resolv+ will attempt to prevent hostname spoofing to enhance the security and log a warning of the error via the syslog facility.  If this option
              is set to nowarn, the resolv+ library will attempt to prevent hostname spoofing to enhance the security but not emit warnings  via  the  syslog  facility.   Setting  this
              option to anything else is equal to setting it to nowarn.

       reorder
              Valid  values  are  on  and  off.  If set to on, resolv+ will attempt to reorder host addresses so that local addresses (i.e., on the same subnet) are listed first when a
              gethostbyname(3) is performed.  Reordering is done for all lookup methods.  The default value is off.

"""
Comment 16 errata-xmlrpc 2018-10-30 11:34:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3254