Bug 493631

What exactly is the broken behavior in RHEL4/5 that needs to be fixed?  The cloned bug above is too full of garbage.

(In reply to comment #6)
> What exactly is the broken behavior in RHEL4/5 that needs to be fixed?  The
> cloned bug above is too full of garbage.  

https://bugzilla.redhat.com/show_bug.cgi?id=458676#c8

In current RHEL5 version, if you have a hostname-based rule in hosts.deny, it may be ignored.  Sure, using hostnames there is pretty bad idea anyway, as DNS outage will have the same result.  Similar change is now being added to RHEL4, that's why I already asked in relevant bug report to consider Steve's rewrite instead.

I tested support by tcp wrappers,
And it seems to be okay, until used mount locally,

in hosts.deny is
mountd:ALL
statd:ALL

hosts.allow is empty

exports contain
/tmp *(ro,sync)

then
# mount ppcp-4as-v1.lab.bos.redhat.com:/tmp /mnt
When I tried it from another machine, everting was ok, (RPC Error:
Authentication error.)

But when I used same command on computer where nfs running, mount is succesful
(but shouldn't be)


I'm not sure if it is caused by DNS hostnames (because there is ALL in hosts.deny) But I think, this bug shoud be fixed (not all host lookup).
In case of question, please ping me on irc #qa #urt #devel

This should be CLOSED CANTFIX or NOTABUG.

https://bugzilla.redhat.com/show_bug.cgi?id=480223#c18
This proposed behavior was pushed to Fedora updates and it was a disaster breaking many existing deployments.  Upstream refused to accept this and we backed it out from Fedora.  This is simply a design limitation of tcp wrappers.

(In reply to comment #8)
> And it seems to be okay, until used mount locally,
[ ... ]
> But when I used same command on computer where nfs running, mount is succesful
> (but shouldn't be)

On a first read, it sound this may even be a feature...  And quick look into support/misc/tcpwrapper.c confrims:

170 int
171 check_default(daemon, addr, proc, prog)
172 char *daemon;
173 struct sockaddr_in *addr;
174 u_long  proc;
175 u_long  prog;
176 {   
177     if (!(from_local(addr) || good_client(daemon, addr))) {
178         log_bad_host(addr, proc, prog);
179         return (FALSE);
180     }

All local access bypasses tcp_wrappers checking at all.  Though this is quite obviously unrelated to the bug that was cloned.  So what problem is this bug supposed to report?

(In reply to comment #9)
> This proposed behavior was pushed to Fedora updates and it was a disaster
> breaking many existing deployments.

Sorry Warren, I'm unable to follow you.  I have explained the differences (and problems) of the patch that went into Fedora, and that it is not used or on the way to RHEL.  Is there any mistake in that?

> Upstream refused to accept this and we backed it out from Fedora.

Not really.  Bad fix was reverted and replaced with good fix.  Why not use the good fix in RHEL too?

> This is simply a design limitation of tcp wrappers.  

Do you mean problem with hostname based rules vs. DNS outages?

So, If it is expected result, then everything is okay.
Problem is, that when I tested tcp_wrappers with snmpd, then also local hosts was refused.
I expected same behaviour with nfs

Perhaps both the RHEL4 and RHEl5 bug should start again.  There was too much garbage here confusing the issue.  Fresh bugs should be filed describing EXACTLY what needs to be fixed.

because previous comment.