I noticed that some qa tests were failing on my machine due to my
machine having more than one ip address. It has several for inet, (em1,
vibr0, tun0) and one for IPv6 (em1). Currently, when a host name (or
localhost) is specified for access control, __pmAccAddHost() only adds
the first resolved address to the access table. In my case, it happened
to be the IPv6 address. Several qa tests set up access control using
localhost and then test the access using an inet ip address. These tests
were then failing because the ip address used in the test was not the
one added to the access table.
This could actually be considered to be a security problem, in that if
the intent was to restrict access from a given host, only one of that
host's ip addresses is actually blocked.
I implemented a solution for which all of a hosts resolved ip addresses
are added to the access table when the host is specified by name. If the
host is specified by address or wildcard, then only one table entry is
generated, as before.
This fixes qa tests 030, 089, 155, 160, and 422 on my machine. I also
updated tests 023, 244 to handle an unspecified number of table entries
for "localhost".
In an unrelated matter, the second change filters 127.0.0.1 and ::1 to
LOOPBACK in the output of test 200.
These changes have been pushed to the brolley/dev branch of the pcpfans
repository.
Dave
-------------------------------------------------------
commit 99716f0a87a4ea8847139ed4a44c627bec655a31
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Wed Apr 24 17:13:35 2013 -0400
__pmAccAddHost(), __pmAccAddClient() and __pmAccDelClient() were
only considering one network address for a given host. However
a given host can have an arbitrary number of addresses due to
multiple network interfaces and multiple address families
configured on each (e.g. inet, ipv6).
This is a potential security issue since, when a host is specified
by name, the user presumably wishes to restrict all access from that
host but, currently, only one address associated with that host is
being restricted.
In this commit:
- __pmAccAddHost() now adds all of the network addresses associated
with a given host, specified by name, to the host access table.
Hosts specified directly by address continue to generate a single
entry in the table.
- __pmAccAddClient accumulates the permissions for all network
addresses associated with a client specified as "localhost".
- __pmDelClient deletes entries for all network addresses associated
with a client specified as "localhost". It also now maps "localhost"
to the actual host as __pmAccAddHost() and __pmAccAddClient() already
did (and still do).
- qa tests 023 and 244: filter the host access table to include
only one entry for localhost.
commit 77b6b114bb7d86ad6366452fe59e9c91c0f9c10b
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date: Wed Apr 24 17:12:35 2013 -0400
QA test 200: Filter 127.0.0.1 and ::1 to LOOPBACK.
|