[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?

Mon Jan 14 21:06:10 UTC 2008
mouss <mlist.only at free.fr>

Eric B. wrote:
>>> I've been working at getting a tftp server up an running in a
>>> chroot jail, and I have finally succeed getting almost everything
>>> working. The server itself works fine, however, it is implemented
>>> as a tcpwrapper application (ie: in.tftpd) and I am having trouble
>>> getting it to resolve DNS names. I copied my /etc/hosts.allow and
>>> /etc/hosts.deny in my chroot/etc folder, however, they only work
>>> properly if I provide IP addresses. If I use FQDN, they fail.
>>>
>>> For instance, in hosts.allow:
>>> in.tfptd: 192.168.1.101 allow
>>>
>>> works fine
>>>
>>> But the following fails
>>> in.tftptd: eric.test.com allow
>>>
>>>
>>> I'm assuming I am missing a library/libraries in my chroot jail,
>>> but am not sure which ones. I've got all the libs req'd by ldd,
>>> but I am guessing there is something else that I am missing.
>>
>> ---------- End Original Message ----------
>>
>> from a security standpoint i don't think you want to control access
>> by fqdn.
>> the name being given access is based on the inverse-map lookup
>> (in-addr.arpa) on the inbound ipnumber - not the forward lookup. so,
>> this isn't controlled by the keepers of the "test.com" zone, rather,
>> anyone can set up "eric.test.com" as an inverse entry for an ipnumber
>> for which they control the in-addr.arpa records.
>>

If hosts.allow and friends use the fqdn without reverse validation, then
I consider this a huge bug. The original tcp wrappers will set the
hostname to "unknown" if the reverse and rdns do not match (ip -> rdns
-> ip must return the original IP). I am certain this is still the case
in the current implementations.

>> i.e., putting an fqdn in the hosts.allow file only gives security by
>> obscurity. if someone figures out the fqdns that you're giving access
>> to, and has control of the in-addr.arpa for an ipnumber range they
>> can connect from, they can gain access to your system.
>>
>> - Rick
> 
> 
> 
> Thanks for the feedback Rick.  I didn't realize that security implication. 
> However I'm already running this on a machine that is heavily firewalled on 
> a VPN so I am fairly sure that no one will be accessing this externally, but 
> I still would like to restrict access to particular machines.  Ideally, 
> would rather use FQDN to make life easier for me to administer.  I have 
> created my additional reverse-dns pointer but I am still having problems 
> with it.
> 
> nslookup from the server gives me:
> # nslookup 192.168.3.103
> Server:         192.168.1.67
> Address:        192.168.1.67#53
> 
> 103.3.168.192.in-addr.arpa    name = eric.test.com.3.168.192.in-addr.arpa.
> 

It looks like there is a missing trailing dot in your DNS zone
configuration. I doubt you are authoritative for the in-addr.arpa zone.

in your zone file, you should have something like
103	IN PTR eric.test.example.
(notice the last dot). Otherwise, the zone name (@ORIGIN) will be added.


make sure you have a matching reverse _and_ forward resolution. you
should get something like:

192.168.3.103 => eric.test.example
_and_
eric.test.example => 192.168.3.103

If you only have the reverse lookup, the result is untrusted and sane
applications should ignore it.


> 
> However, when I try to connect to the tftp server, my connection is still 
> refused, and I get the following in the log msgs:
> 
> Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 
> 192.168.103.103
> 
> 
> I am obviously doing something still incorrect, but not sure what.
> 
> Can you help point me in the right direction please?  Is my reverse DNS 
> incorrectly set up?