[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?
mouss
mlist.only at free.fr
Mon Jan 14 21:06:10 UTC 2008
Eric B. wrote:
>>> I've been working at getting a tftp server up an running in a
>>> chroot jail, and I have finally succeed getting almost everything
>>> working. The server itself works fine, however, it is implemented
>>> as a tcpwrapper application (ie: in.tftpd) and I am having trouble
>>> getting it to resolve DNS names. I copied my /etc/hosts.allow and
>>> /etc/hosts.deny in my chroot/etc folder, however, they only work
>>> properly if I provide IP addresses. If I use FQDN, they fail.
>>>
>>> For instance, in hosts.allow:
>>> in.tfptd: 192.168.1.101 allow
>>>
>>> works fine
>>>
>>> But the following fails
>>> in.tftptd: eric.test.com allow
>>>
>>>
>>> I'm assuming I am missing a library/libraries in my chroot jail,
>>> but am not sure which ones. I've got all the libs req'd by ldd,
>>> but I am guessing there is something else that I am missing.
>>
>> ---------- End Original Message ----------
>>
>> from a security standpoint i don't think you want to control access
>> by fqdn.
>> the name being given access is based on the inverse-map lookup
>> (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so,
>> this isn't controlled by the keepers of the "test.com" zone, rather,
>> anyone can set up "eric.test.com" as an inverse entry for an ipnumber
>> for which they control the in-addr.arpa records.
>>
If hosts.allow and friends use the fqdn without reverse validation, then
I consider this a huge bug. The original tcp wrappers will set the
hostname to "unknown" if the reverse and rdns do not match (ip -> rdns
-> ip must return the original IP). I am certain this is still the case
in the current implementations.
>> i.e., putting an fqdn in the hosts.allow file only gives security by
>> obscurity. if someone figures out the fqdns that you're giving access
>> to, and has control of the in-addr.arpa for an ipnumber range they
>> can connect from, they can gain access to your system.
>>
>> - Rick
>
>
>
> Thanks for the feedback Rick. I didn't realize that security implication.
> However I'm already running this on a machine that is heavily firewalled on
> a VPN so I am fairly sure that no one will be accessing this externally, but
> I still would like to restrict access to particular machines. Ideally,
> would rather use FQDN to make life easier for me to administer. I have
> created my additional reverse-dns pointer but I am still having problems
> with it.
>
> nslookup from the server gives me:
> # nslookup 192.168.3.103
> Server: 192.168.1.67
> Address: 192.168.1.67#53
>
> 103.3.168.192.in-addr.arpa name = eric.test.com.3.168.192.in-addr.arpa.
>
It looks like there is a missing trailing dot in your DNS zone
configuration. I doubt you are authoritative for the in-addr.arpa zone.
in your zone file, you should have something like
103 IN PTR eric.test.example.
(notice the last dot). Otherwise, the zone name (@ORIGIN) will be added.
make sure you have a matching reverse _and_ forward resolution. you
should get something like:
192.168.3.103 => eric.test.example
_and_
eric.test.example => 192.168.3.103
If you only have the reverse lookup, the result is untrusted and sane
applications should ignore it.
>
> However, when I try to connect to the tftp server, my connection is still
> refused, and I get the following in the log msgs:
>
> Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from
> 192.168.103.103
>
>
> I am obviously doing something still incorrect, but not sure what.
>
> Can you help point me in the right direction please? Is my reverse DNS
> incorrectly set up?
More information about the CentOS
mailing list