Bug 493631 - nfs-utils-1.0.9-40.el5 doesn't work with tcp_wrapper/missing reverse DNS lookups
nfs-utils-1.0.9-40.el5 doesn't work with tcp_wrapper/missing reverse DNS lookups
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nfs-utils (Show other bugs)
4.8
All Linux
low Severity urgent
: rc
: ---
Assigned To: Steve Dickson
BaseOS QE
:
Depends On: 483774 494878
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-02 09:14 EDT by Jan Ščotka
Modified: 2013-01-10 00:08 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 483774
Environment:
Last Closed: 2009-04-07 12:01:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 6 Warren Togami 2009-04-02 10:56:35 EDT
What exactly is the broken behavior in RHEL4/5 that needs to be fixed?  The cloned bug above is too full of garbage.
Comment 7 Tomas Hoger 2009-04-02 11:13:04 EDT
(In reply to comment #6)
> What exactly is the broken behavior in RHEL4/5 that needs to be fixed?  The
> cloned bug above is too full of garbage.  

https://bugzilla.redhat.com/show_bug.cgi?id=458676#c8

In current RHEL5 version, if you have a hostname-based rule in hosts.deny, it may be ignored.  Sure, using hostnames there is pretty bad idea anyway, as DNS outage will have the same result.  Similar change is now being added to RHEL4, that's why I already asked in relevant bug report to consider Steve's rewrite instead.
Comment 8 Jan Ščotka 2009-04-02 11:22:54 EDT
I tested support by tcp wrappers,
And it seems to be okay, until used mount locally,

in hosts.deny is
mountd:ALL
statd:ALL

hosts.allow is empty

exports contain
/tmp *(ro,sync)

then
# mount ppcp-4as-v1.lab.bos.redhat.com:/tmp /mnt
When I tried it from another machine, everting was ok, (RPC Error:
Authentication error.)

But when I used same command on computer where nfs running, mount is succesful
(but shouldn't be)


I'm not sure if it is caused by DNS hostnames (because there is ALL in hosts.deny) But I think, this bug shoud be fixed (not all host lookup).
In case of question, please ping me on irc #qa #urt #devel
Comment 9 Warren Togami 2009-04-02 11:25:15 EDT
This should be CLOSED CANTFIX or NOTABUG.

https://bugzilla.redhat.com/show_bug.cgi?id=480223#c18
This proposed behavior was pushed to Fedora updates and it was a disaster breaking many existing deployments.  Upstream refused to accept this and we backed it out from Fedora.  This is simply a design limitation of tcp wrappers.
Comment 10 Tomas Hoger 2009-04-02 15:04:09 EDT
(In reply to comment #8)
> And it seems to be okay, until used mount locally,
[ ... ]
> But when I used same command on computer where nfs running, mount is succesful
> (but shouldn't be)

On a first read, it sound this may even be a feature...  And quick look into support/misc/tcpwrapper.c confrims:

170 int
171 check_default(daemon, addr, proc, prog)
172 char *daemon;
173 struct sockaddr_in *addr;
174 u_long  proc;
175 u_long  prog;
176 {   
177     if (!(from_local(addr) || good_client(daemon, addr))) {
178         log_bad_host(addr, proc, prog);
179         return (FALSE);
180     }

All local access bypasses tcp_wrappers checking at all.  Though this is quite obviously unrelated to the bug that was cloned.  So what problem is this bug supposed to report?

(In reply to comment #9)
> This proposed behavior was pushed to Fedora updates and it was a disaster
> breaking many existing deployments.

Sorry Warren, I'm unable to follow you.  I have explained the differences (and problems) of the patch that went into Fedora, and that it is not used or on the way to RHEL.  Is there any mistake in that?

> Upstream refused to accept this and we backed it out from Fedora.

Not really.  Bad fix was reverted and replaced with good fix.  Why not use the good fix in RHEL too?

> This is simply a design limitation of tcp wrappers.  

Do you mean problem with hostname based rules vs. DNS outages?
Comment 11 Jan Ščotka 2009-04-03 07:10:32 EDT
So, If it is expected result, then everything is okay.
Problem is, that when I tested tcp_wrappers with snmpd, then also local hosts was refused.
I expected same behaviour with nfs
Comment 12 Warren Togami 2009-04-03 11:29:07 EDT
Perhaps both the RHEL4 and RHEl5 bug should start again.  There was too much garbage here confusing the issue.  Fresh bugs should be filed describing EXACTLY what needs to be fixed.
Comment 15 Jan Ščotka 2009-04-07 12:01:29 EDT
because previous comment.

Note You need to log in before you can comment on or make changes to this bug.