On Jun 21, 2006, at 01:54 , Mike Jakubik wrote: > Brooks Davis wrote: >> On Wed, Jun 21, 2006 at 12:54:32AM -0400, Mike Jakubik wrote: >> >>> Justin Hibbits wrote: >>> >>>> Hey folks, got an interesting patch. This adds a ~/.hosts file >>>> (personal version of /etc/hosts). It was written against 6- >>>> STABLE about a week before 6.1 was released, and has been >>>> sitting collecting dust for the last month and a half. >>>> Currently it augments /etc/hosts instead of replacing it or >>>> prepending it. Any comments? One suggestion that was made was >>>> to make it an nss module so that it could be controlled by the >>>> admin. It probably could use some cleanup as well, just putting >>>> it out here for proof of concept for now, and some direction. >>>> >>> Just what exactly is the point of having a user specified hosts >>> file? Seems like a bad idea to me, in terms of security. >>> >> >> It's useful for cases where you want to add shortcuts to hosts as >> a user >> or do interesting ssh port forwarding tricks in some weird cases >> where >> you must connect to localhost:port as remotehost:port due to >> client/server protocol bugs. >> >> This patch appears to only support ~/.hosts for non-suid binaries >> which >> is the only real security issue. Any admin relying on host to IP >> mapping for security for ordinary users is an idiot so that case >> isn't >> worth worrying about. Doing this as a separate nss module probably >> makes sense, but I personally like the feature. >> > > Of course relying on /etc/hosts entries for security alone is > indeed not a good idea, however an Admin may choose to resolve and > therefore route specified hostnames via /etc/hosts. The user should > not be able to overwrite these, if this behavior is true, then it > seems like a reasonable change to me, otherwise it not only seems > to be a security problem, but also a breach of POLA. > In the next couple weeks, when I get some time, I will make it a NSS module, so that it can be controlled by the admin. - JustinReceived on Fri Jun 23 2006 - 12:48:20 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC