[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [leafnode-list] fqdn validation

To: leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [leafnode-list] fqdn validation
From: Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: by mail-ob (mbox f11350)(with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Apr 11 07:02:53 2002)

Jonathan Larmour wrote on 2002-04-10:

> validatefqdn() checks that the fqdn isn't localhost. However fqdn is set by
> miscutil.c:whoami() which includes:
> 
>     if (!gethostname(fqdn, 255) && (he = gethostbyname(fqdn)) != NULL) {
>         strncpy(fqdn, he->h_name, 255);
>         if (strchr(fqdn, '.') == NULL) {
>          [ use a DNS alias ]
> 
> The thing is that although I set up a valid fqdn (foo.bar.org) with a
> sensible IP addr, my system has its /etc/hosts set up such that foo.bar.org
> is address 127.0.0.1, i.e.:
> 
> 127.0.0.1		localhost.localdomain localhost foo.bar.org foo
> 
> This is to cut out overhead for times where the machine connects to itself,
> and is in fact how Red Hat Linux sets itself up by default.

<shrug> killing 25 µs ping time off a Duron/700. Wonder if that's
worthwhile.  And will in fact kill protocols that encode the own IP as
payload, because the IP lookup will yield 127.0.0.1 rather than the
actual IP.  What a brilliant idea. OK, we're not here to discuss
distro madness.

> The problem is that the above code results in he->h_name being set to
> localhost.localdomain since that is the canonical name (and for 127.0.0.1
> that's correct). This then causes validatefqdn() to complain.

If a lookup (to qualify the domain) for "foo" yields
localhost.localdomain, that's a hosed setup. Why do Red Hat set up
localhost.localdomain if they have a real domain? unqualified
"localhost", OK, but a qualified "localhost" is heading for trouble.

SuSE sets up like this:

127.0.0.1       localhost
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback
# (some further default IPv6 stuff like mcast, allrouters and the like here)
192.168.0.1     joe.some.example.org joe

> I think the correct answer is simply to delete the strncpy(). Setting fqdn

Is that portable? How about really old libcs, say, SunOS 4.1.3?

> to the canonical name won't really achieve much since using an alias should
> have the same effect anyway.

*shrug* More verbosely, please.

> And the checking for localhost in validatefqdn() isn't intended to
> prevent configurations like this.

No, it cannot catch any possible misconfiguration, originate it from the
user or from the system installation software.

> If people agree, it would be nice to have this in any eventual 1.9.22. I
> don't see any checking any longer in the 2.0b series, so presumably it
> wouldn't have this problem.

FQDN validation will not be dropped.

However, if the logic to retrieve the actual host name can be improved,
so be it. The length-logic as in 1.9.21 is not too bright, admittedly.

Rest assured that leafnode 2.0.x will do domain validation as well.

Please try the patch below and report back if that works for you. If you
want debug information in your syslog, just try something like:

LN_DEBUG_QUALIFICATION=1 sudo /usr/local/sbin/leafnode
or, as root: LN_DEBUG_QUALIFICATION=1 /usr/local/sbin/leafnode

Adjust the path to leafnode if needed.

Then enter QUIT if leafnode starts up. The debug log will contain
something like this:

Apr 11 02:01:01 merlin leafnode[12278]: canonical hostname: localhost
Apr 11 02:01:01 merlin leafnode[12278]: alias for my hostname: foo.dom.com
Apr 11 02:01:01 merlin leafnode[12278]: alias for my hostname: foo.dom.com
Apr 11 02:01:01 merlin leafnode[12278]: alias for my hostname: foo

Index: miscutil.c
===================================================================
RCS file: /home/emma/mycvsroot/leafnode-1/miscutil.c,v
retrieving revision 1.15
diff -u -r1.15 miscutil.c
--- miscutil.c	2002/04/05 19:03:34	1.15
+++ miscutil.c	2002/04/10 23:58:55
@@ -275,17 +275,32 @@
 whoami(void)
 {
     struct hostent *he;
+    int debugqual = 0;
+    char *x;
 
+    if ((x = getenv("LN_DEBUG_QUALIFICATION")) != NULL
+	&& *x)
+	debugqual = 1;
+
     if (!gethostname(fqdn, 255) && (he = gethostbyname(fqdn)) != NULL) {
-	strncpy(fqdn, he->h_name, 255);
-	if (strchr(fqdn, '.') == NULL) {
+	fqdn[0] = '\0';
+	strncat(fqdn, he->h_name, 255);
+	if (debugqual) syslog(LOG_DEBUG, "canonical hostname: %s", fqdn);
+	if (strchr(fqdn, '.') == NULL
+	    || 0 == strncasecmp(fqdn, "localhost", 9)) {
 	    char **alias;
 	    alias = he->h_aliases;
-	    while (alias && *alias)
-		if (strchr(*alias, '.') && (strlen(*alias) > strlen(fqdn)))
-		    strncpy(fqdn, *alias, 255);
-		else
+	    while (alias && *alias) {
+		if (debugqual) {
+		    syslog(LOG_DEBUG, "alias for my hostname: %s", *alias);
+		}
+		if (strchr(*alias, '.') && (strlen(*alias) > strlen(fqdn))
+		    && (0 != strncasecmp(*alias, "localhost", 9))) {
+		    fqdn[0] = '\0';
+		    strncat(fqdn, *alias, 255);
+		} else
 		    alias++;
+	    }
 	}
     }
 }

-- 
leafnode-list@xxxxxxxxxxxxxxxxxxxxxxxxxxxx -- mailing list for leafnode
To unsubscribe, send mail with "unsubscribe" in the subject to the list

References:
- [leafnode-list] fqdn validation
  - From: Jonathan Larmour

Prev by Date: Re: [leafnode-list] Re: Welcome to
Next by Date: Re: [leafnode-list] fqdn validation
Previous by thread: Re: [leafnode-list] fqdn validation
Next by thread: Re: [leafnode-list] fqdn validation
Index(es):
- Date
- Thread