Re: CVS commit: src/usr.sbin/ypserv/ypserv

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Sat, May 17, 2008 at 03:28:16PM -0400, Chuck Cranor wrote:
> On Fri, May 16, 2008 at 09:20:54PM +0200, Manuel Bouyer wrote:
> > On Fri, May 16, 2008 at 04:41:42PM +0000, Chuck Cranor wrote:
> > > Disable hostname lookup for ypserv(8) libwrap access control,
> > thanks ! But what about making this optionnal, using a command-line
> > flag ?
> 
> i think it is a major DoS hazard to allow the single-threaded ypserv(8)
> process to make blocking DNS calls via getnameinfo(3) [see 
> src/lib/libwrap/socket.c, function sock_hostname()].  DNS timeouts
> can be quite long (many seconds) and while ypserv(8) is waiting for
> a reply everything else basically _stops_ too.  we had a real problem
> with random login/sshd timeout failures due to this.

not an issue if you have only hosts: files in nsswitch.conf

> 
> i am also concerned that if you configure nsswitch to use ypserv(8) 
> for hosts, you are likely to risk creating an infinite loop with 
> ypserv(8)'s libwrap making host calls back to ypserv(8) itself.
> 
> it would be easy enough to add a switch for this, but i had trouble
> thinking of a case where you'd want to have both libwrap access control
> and be willing to risk the DoS issues associated with allowing anyone
> on the network to block your ypserv(8) process...?

ypserv can't be blocked if you do only file lookups

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--