Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 56545

Summary: nscd reverse maps IP addresses incorrectly
Product: [Retired] Red Hat Linux Reporter: John Dalbec <jpdalbec>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: drepper, fweimer, kjetilho
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-04 06:44:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Dalbec 2001-11-20 19:39:41 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (Windows NT 5.0; U)

Description of problem:
I have machines with multiple A records in DNS but (of course) a unique PTR record for the IP.  The nscd daemon seems to choose a 
random 'A' record for reverse mapping.  When I first restart the daemon, 150.134.10.203 resolves (correctly) to mail03.cc.ysu.edu.  Later it 
starts resolving to mail.ysu.edu (an alias 'A' record).  It seems like nscd makes no distinction between information from DNS and 
information from /etc/hosts (where choosing a random (or the first) address mapping to reverse map makes some sense).

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Define two 'A' records for a static IP box.
2.Define a PTR record for the IP.
3.Start nscd.
4.Access the machine using both 'A' records.
5.If you don't see results, try switching the PTR to the other 'A' record.
	

Actual Results:  gethostbyaddr() starts returning the wrong hostname.

Expected Results:  gethostbyaddr() should always return the hostname in the PTR record.

Additional info:
Comment 1 John Dalbec 2001-12-19 19:07:55 UTC 
*Sheepish* I guess it would help if I configured /etc/hosts consistently with DNS.
DNS has:
mail03.cc.ysu.edu.      86400   IN      A       150.134.10.203
mail.ysu.edu.           86400   IN      A       150.134.10.203
ldap.ysu.edu.           86400   IN      A       150.134.10.203
203.10.134.150.in-addr.arpa. 86400 IN   PTR     MAIL03.CC.YSU.EDU.
I had "150.134.10.203 mail03.cc.ysu.edu mail03" in /etc/hosts.
I've changed this to "150.134.10.203 mail03.cc.ysu.edu mail03 mail.ysu.edu ldap.ysu.edu".  
SFSG.  If all goes well the next few days I'll make this NOTABUG.
Comment 2 John Dalbec 2002-01-14 22:01:41 UTC 
One of the other machines in the cluster started reverse resolving mail03.cc.ysu.edu as mail.ysu.edu.  This one didn't have mail03.cc.ysu.edu in 
/etc/hosts at all.  As a workaround I've added mail03 to /etc/hosts on all my machines, but I don't see how this could be a misconfiguration on my 
part.  I'm reopening the bug.
Comment 3 Kjetil T. Homme 2002-03-25 20:43:29 UTC 
Actually, this is a serious security problem.  nscd will cache a reverse lookup,
and use the result for a forward lookup as well!  Look at this:

# getent hosts 80.82.160.10
80.82.160.10    localhost
# ping localhost
PING localhost (80.82.160.10): 56 data bytes
64 bytes from localhost (80.82.160.10): seq=0 ttl=233 time=133 ms.
64 bytes from localhost (80.82.160.10): seq=1 ttl=233 time=136 ms.

If someone at 80.82.160.10 tried to connect to, say, my sshd, my system would
automatically do a reverse lookup.  If they next tried to connect to my MySQL,
MySQL would think that 80.82.160.10 is localhost, and allow them in.  I'm sure
you can think of other ugly ways to exploit this bug.
Comment 4 Ulrich Drepper 2004-10-04 06:44:17 UTC 
This is all long not the case anymore.  Try FC3t2 for the latest code.