Bug 493631
Summary: | nfs-utils-1.0.9-40.el5 doesn't work with tcp_wrapper/missing reverse DNS lookups | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Jan Ščotka <jscotka> |
Component: | nfs-utils | Assignee: | Steve Dickson <steved> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | urgent | Docs Contact: | |
Priority: | low | ||
Version: | 4.8 | CC: | axel.thimm, dcantrell, deknuydt, dkovalsk, pwaldenlinux, rhbugzilla, sameer.subscriptions, steved, thoger, wtogami, zboszor |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 483774 | Environment: | |
Last Closed: | 2009-04-07 16:01:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 483774, 494878 | ||
Bug Blocks: |
Comment 6
Warren Togami
2009-04-02 14:56:35 UTC
(In reply to comment #6) > What exactly is the broken behavior in RHEL4/5 that needs to be fixed? The > cloned bug above is too full of garbage. https://bugzilla.redhat.com/show_bug.cgi?id=458676#c8 In current RHEL5 version, if you have a hostname-based rule in hosts.deny, it may be ignored. Sure, using hostnames there is pretty bad idea anyway, as DNS outage will have the same result. Similar change is now being added to RHEL4, that's why I already asked in relevant bug report to consider Steve's rewrite instead. I tested support by tcp wrappers, And it seems to be okay, until used mount locally, in hosts.deny is mountd:ALL statd:ALL hosts.allow is empty exports contain /tmp *(ro,sync) then # mount ppcp-4as-v1.lab.bos.redhat.com:/tmp /mnt When I tried it from another machine, everting was ok, (RPC Error: Authentication error.) But when I used same command on computer where nfs running, mount is succesful (but shouldn't be) I'm not sure if it is caused by DNS hostnames (because there is ALL in hosts.deny) But I think, this bug shoud be fixed (not all host lookup). In case of question, please ping me on irc #qa #urt #devel This should be CLOSED CANTFIX or NOTABUG. https://bugzilla.redhat.com/show_bug.cgi?id=480223#c18 This proposed behavior was pushed to Fedora updates and it was a disaster breaking many existing deployments. Upstream refused to accept this and we backed it out from Fedora. This is simply a design limitation of tcp wrappers. (In reply to comment #8) > And it seems to be okay, until used mount locally, [ ... ] > But when I used same command on computer where nfs running, mount is succesful > (but shouldn't be) On a first read, it sound this may even be a feature... And quick look into support/misc/tcpwrapper.c confrims: 170 int 171 check_default(daemon, addr, proc, prog) 172 char *daemon; 173 struct sockaddr_in *addr; 174 u_long proc; 175 u_long prog; 176 { 177 if (!(from_local(addr) || good_client(daemon, addr))) { 178 log_bad_host(addr, proc, prog); 179 return (FALSE); 180 } All local access bypasses tcp_wrappers checking at all. Though this is quite obviously unrelated to the bug that was cloned. So what problem is this bug supposed to report? (In reply to comment #9) > This proposed behavior was pushed to Fedora updates and it was a disaster > breaking many existing deployments. Sorry Warren, I'm unable to follow you. I have explained the differences (and problems) of the patch that went into Fedora, and that it is not used or on the way to RHEL. Is there any mistake in that? > Upstream refused to accept this and we backed it out from Fedora. Not really. Bad fix was reverted and replaced with good fix. Why not use the good fix in RHEL too? > This is simply a design limitation of tcp wrappers. Do you mean problem with hostname based rules vs. DNS outages? So, If it is expected result, then everything is okay. Problem is, that when I tested tcp_wrappers with snmpd, then also local hosts was refused. I expected same behaviour with nfs Perhaps both the RHEL4 and RHEl5 bug should start again. There was too much garbage here confusing the issue. Fresh bugs should be filed describing EXACTLY what needs to be fixed. because previous comment. |