Brooks Davis wrote: > On Wed, Jun 21, 2006 at 12:54:32AM -0400, Mike Jakubik wrote: > >> Justin Hibbits wrote: >> >>> Hey folks, got an interesting patch. This adds a ~/.hosts file >>> (personal version of /etc/hosts). It was written against 6-STABLE >>> about a week before 6.1 was released, and has been sitting collecting >>> dust for the last month and a half. Currently it augments /etc/hosts >>> instead of replacing it or prepending it. Any comments? One >>> suggestion that was made was to make it an nss module so that it could >>> be controlled by the admin. It probably could use some cleanup as >>> well, just putting it out here for proof of concept for now, and some >>> direction. >>> >> Just what exactly is the point of having a user specified hosts file? >> Seems like a bad idea to me, in terms of security. >> > > It's useful for cases where you want to add shortcuts to hosts as a user > or do interesting ssh port forwarding tricks in some weird cases where > you must connect to localhost:port as remotehost:port due to > client/server protocol bugs. > > This patch appears to only support ~/.hosts for non-suid binaries which > is the only real security issue. Any admin relying on host to IP > mapping for security for ordinary users is an idiot so that case isn't > worth worrying about. Doing this as a separate nss module probably > makes sense, but I personally like the feature. > Of course relying on /etc/hosts entries for security alone is indeed not a good idea, however an Admin may choose to resolve and therefore route specified hostnames via /etc/hosts. The user should not be able to overwrite these, if this behavior is true, then it seems like a reasonable change to me, otherwise it not only seems to be a security problem, but also a breach of POLA.Received on Wed Jun 21 2006 - 03:54:46 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC