Bug 83719 - hosts.allow IPaddr/mask wrongly interpreted
Summary: hosts.allow IPaddr/mask wrongly interpreted
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcp_wrappers
Version: 8.0
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Florian La Roche
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-07 16:14 UTC by Graham King
Modified: 2007-04-18 16:50 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2003-02-19 16:03:42 UTC


Attachments (Terms of Use)

Description Graham King 2003-02-07 16:14:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020830

Description of problem:
man hosts.allow says:
"An  expression of the form �n.n.n.n/m.m.m.m� is interpreted as a
 �net/mask� pair. An IPv4 host address is  matched  if  �net�  is
 equal  to  the  bitwise  AND  of the address and the �mask�."

However, portmap is denied to host aaa.bbb.ccc.ddd/255.255.255.255, 
suggesting that the mask is wrongly applied.


Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:

    On an NFS server host, /etc/hosts.deny contains:
ALL:ALL

/etc/hosts.allow contains (IP addresses sanitised):
portmap:ppp.qqq.rrr.sss/255.255.255.0,aaa.bbb.ccc.ddd/255.255.255.255
rpc.mountd:ppp.qqq.rrr.sss/255.255.255.0,aaa.bbb.ccc.ddd/255.255.255.255

An attempt to mount an NFS volume onto aaa.bbb.ccc.ddd gives the following in
the syslog on the NFS server host:
portmap[30168]: connect from aaa.bbb.ccc.ddd to getport(mountd): request from
unauthorized host

However, after changing the mask in hosts.allow to 255.255.255.254 the mount
attempt succeeds.

nfs-utils-1.0.1-2
tcp_wrappers-7.6-23

Additional info:

Comment 1 Thomas Woerner 2003-02-19 16:03:42 UTC
This is no bug:

> man hosts.allow
    ...
    An  expression of the form ân.n.n.n/m.m.m.m´ is interpreted as a
    ânet/mask´ pair. An IPv4 host address is  matched  if  ânet´  is
    equal  to  the  bitwise  AND  of the address and the âmask´. For
    example,  the  net/mask   pattern   â131.155.72.0/255.255.254.0´
    matches  every  address  in  the  range  â131.155.72.0´  through
    â131.155.73.255´.
    ...

Do not use net/mask pair for a single host.



Note You need to log in before you can comment on or make changes to this bug.