1577265 – nospoof, spoof, and spoofalert were not implemented and apparently removed.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1577265 - nospoof, spoof, and spoofalert were not implemented and apparently removed.

Summary: nospoof, spoof, and spoofalert were not implemented and apparently removed.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	man-pages-overrides
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Forró
QA Contact:	Jan Houska
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1592876
TreeView+	depends on / blocked

Reported:	2018-05-11 14:58 UTC by Peter E.
Modified:	2021-09-09 14:01 UTC (History)
CC List:	7 users (show)
Fixed In Version:	man-pages-overrides-7.6.1-3.el7
Doc Type:	Bug Fix
Doc Text:	Cause: nospoof, spoofalert and spoof options of /etc/host.conf configuration file had been removed completely in RHEL 7.5, but remained documented in host.conf manual page. Consequence: Users having some of the spoof options present in the configuration file might have been confused by the fact that those are being rejected as invalid, while being documented. Fix: The spoof options were removed from the manual page. Result: No invalid options are documented in manual page of host.conf.
Clone Of:
Environment:
Last Closed:	2018-10-30 11:34:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
host.conf.5: clarify glibc versions in which spoof options were recognized (1.12 KB, patch) 2018-05-24 12:26 UTC, Nikola Forró	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3254	0	None	None	None	2018-10-30 11:35:39 UTC

Description Peter E. 2018-05-11 14:58:48 UTC

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Build Identifier:

According to the man page for host.conf (5) - http://man7.org/linux/man-pages/man5/host.conf.5.html it states:

Since glibc 2.0.7, the following keywords and environment variable
have been recognized but never implemented:

nospoof
Valid values are on and off. If set to on, the resolver
library will attempt to prevent hostname spoofing to enhance
the security of rlogin and rsh. It works as follows: after
performing a host address lookup, the resolver library will
perform a hostname lookup for that address. If the two
hostnames do not match, the query fails. The default value is
off.

spoofalert
Valid values are on and off. If this option is set to on and
the nospoof option is also set, the resolver library will log
a warning of the error via the syslog facility. The default
value is off.

spoof Valid values are off, nowarn, and warn. If this option is set
to off, spoofed addresses are permitted and no warnings will
be emitted via the syslog facility. If this option is set to
warn, the resolver library will attempt to prevent hostname
spoofing to enhance the security and log a warning of the
error via the syslog facility. If this option is set to
nowarn, the resolver library will attempt to prevent hostname
spoofing to enhance the security but not emit warnings via the
syslog facility. Setting this option to anything else is
equal to setting it to nowarn.

Many users may have added nospoof to their /etc/host.conf file and this was simply ignored up until RHEL 7.4. But is now reporting an invalid command as of RHEL 7.5.

/etc/host.conf: line 6: bad command `nospoof on'

This can cause a few issues on the server that will only be corrected by commenting out that line (or removing it).

The man pages should probably be updated to remove those since they are no longer valid.

Reproducible: Always

Steps to Reproduce:
1. Have a RHEL 7.4 server and add "nospoof on" (sans quotes) to the /etc/host.conf file if it doesn't already exist.
2. update to 7.5
3. watch that error appear with many of the commands you try to execute.
Actual Results:
Saw the error with several commands.

yum update
wget https://someurl etc.

Expected Results:
No errors are expected.

Related reference from the man-pages project change-log

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443

http://man7.org/linux/man-pages/changelog.html (search the page for "host.conf")

It seems that the nospoof command was never fully implemented despite being included in the manpage for /etc/host.conf. It was then entirely removed from the source code, which is now resulting in the errors that we're seeing with it.
https://www.pclinuxos.com/forum/index.php?topic=143487.0

https://bugs.centos.org/view.php?id=14762

Comment 2 Ondrej Vasik 2018-05-14 07:39:14 UTC

host.conf (5) manpage is part of man-pages package... Reassigning, as none of these is part of default host.conf coming with setup package.

Comment 3 Nikola Forró 2018-05-24 12:26:47 UTC

Created attachment 1441042 [details]
host.conf.5: clarify glibc versions in which spoof options were recognized

Comment 4 Nikola Forró 2018-05-24 12:29:07 UTC

Peter, is this change sufficient?

Comment 5 Peter E. 2018-05-25 12:53:24 UTC

Hello Nikola, 

Yes, that should suffice. 

Thank you.
(In reply to Nikola Forró from comment #4)
> Peter, is this change sufficient?

Comment 13 Jan Houska 2018-08-17 12:48:48 UTC

VERIFIED

New PASS
man-pages-overrides-7.6.1-3.el7.

In 'man host.conf'

I agree with Comment 10. The Description is now consistent. Also close description of the mentioned options is now sane.

"""
DESCRIPTION
The file /etc/host.conf contains configuration information specific to the resolver library. It should contain one configuration keyword per line, followed by appropriate con‐
figuration information. The keywords recognized are trim, multi, and reorder. These keywords are described below.

trim This keyword may be listed more than once. Each time it should be followed by a list of domains, separated by colons (':'), semicolons (';') or commas (','), with the
leading dot. When set, the resolv+ library will automatically trim the given domain name from the end of any hostname resolved via DNS. This is intended for use with
local hosts and domains. (Related note: trim will not affect hostnames gathered via NIS or the hosts file. Care should be taken to ensure that the first hostname for
each entry in the hosts file is fully qualified or unqualified, as appropriate for the local installation.)

multi Valid values are on and off. If set to on, the resolv+ library will return all valid addresses for a host that appears in the /etc/hosts file, instead of only the first.
This is on by default. On systems with DNS, hosts files are much smaller and the performance loss of multiple search is negligible. On sites with large hosts files,
turning it on may cause a substantial performance loss.

reorder
Valid values are on and off. If set to on, resolv+ will attempt to reorder host addresses so that local addresses (i.e., on the same subnet) are listed first when a
gethostbyname(3) is performed. Reordering is done for all lookup methods. The default value is off.

""""

...

"""

OLD Fail:
man-pages-overrides-7.5.2-1.el7

nospoof
Valid values are on and off. If set to on, the resolv+ library will attempt to prevent hostname spoofing to enhance the security of rlogin and rsh. It works as follows:
after performing a host address lookup, resolv+ will perform a hostname lookup for that address. If the two hostnames do not match, the query will fail. The default
value is off.

spoofalert
Valid values are on and off. If this option is set to on and the nospoof option is also set, resolv+ will log a warning of the error via the syslog facility. The
default value is off.

spoof Valid values are off, nowarn and warn. If this option is set to off, spoofed addresses are permitted and no warnings will be emitted via the syslog facility. If this
option is set to warn, resolv+ will attempt to prevent hostname spoofing to enhance the security and log a warning of the error via the syslog facility. If this option
is set to nowarn, the resolv+ library will attempt to prevent hostname spoofing to enhance the security but not emit warnings via the syslog facility. Setting this
option to anything else is equal to setting it to nowarn.

"""

Comment 16 errata-xmlrpc 2018-10-30 11:34:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3254

Note You need to log in before you can comment on or make changes to this bug.