Disable hostname lookup for ypserv(8) libwrap access control,

as they can cause performance problems while ypserv is blocked waiting for the DNS to respond. initially discussed here: http://mail-index.netbsd.org/tech-userlevel/2006/11/01/0014.html This diff is from Doug Needham who found an easy way to get the desired behavior without having to change libwrap.
2008-05-16 16:41:42 +00:00 · 2008-05-16 16:41:42 +00:00 · 77b3637f18
commit 77b3637f18
parent 04f1cf0315
2 changed files with 27 additions and 3 deletions
--- a/usr.sbin/ypserv/ypserv/ypserv.8
+++ b/usr.sbin/ypserv/ypserv/ypserv.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: ypserv.8,v 1.18 2006/05/20 20:03:28 christos Exp $
+.\"	$NetBSD: ypserv.8,v 1.19 2008/05/16 16:41:42 chuck Exp $
 .\"
 .\" Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
 .\" All rights reserved.
@ -83,6 +83,16 @@ server,
 will return the
 .Tn NIS
 result code YP_NODOM.
+To avoid problems with DNS lookups causing 
+.Nm
+to hang,
+.Nm
+disables DNS lookups for its client
+.Xr hosts_access 5
+lists.  The result is that
+.Nm
+can only use address based patterns.  This also means that wildcard patterns
+such as LOCAL or KNOWN will not work.
 .Pp
 The process pid of the
 .Nm
--- a/usr.sbin/ypserv/ypserv/ypserv.c
+++ b/usr.sbin/ypserv/ypserv/ypserv.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ypserv.c,v 1.21 2007/12/15 19:44:57 perry Exp $	*/
+/*	$NetBSD: ypserv.c,v 1.22 2008/05/16 16:41:42 chuck Exp $	*/

 /*
 * Copyright (c) 1994 Mats O Jansson <moj@stacken.kth.se>
@ -33,7 +33,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ypserv.c,v 1.21 2007/12/15 19:44:57 perry Exp $");
+__RCSID("$NetBSD: ypserv.c,v 1.22 2008/05/16 16:41:42 chuck Exp $");
 #endif

 #include <sys/types.h>
@ -97,6 +97,7 @@ static struct bindsock {

 static void	usage(void) __dead;
 static int	bind_resv_port(int, sa_family_t, in_port_t);
+void		ypserv_sock_hostname(struct host_info *host);

 static void
 _msgout(int level, const char *msg, ...)
@ -110,6 +111,11 @@ _msgout(int level, const char *msg, ...)
 	va_end(ap);
 }

+void ypserv_sock_hostname(struct host_info *host)
+{
+	host->name[0] = 0;
+}
+
 static void
 ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
 {
@ -142,6 +148,14 @@ ypprog_2(struct svc_req *rqstp, SVCXPRT *transp)
 	(void)request_init(&req, RQ_DAEMON, getprogname(), RQ_CLIENT_SIN,
 	    caller, NULL);
 	sock_methods(&req);
+
+	/*
+	 * Do not do hostname lookups!  This avoids possible delays due
+	 * to DNS, preventing a possible DoS attack, as well as possible 
+	 * circular lookups (e.g. a hostname lookup requiring a request 
+	 * to ourselves).
+	 */
+	req.hostname = ypserv_sock_hostname;
 #endif

 	switch (rqstp->rq_proc) {