[nsd-users] allow-notify on localhost

Farkas Levente lfarkas at bppiac.hu
Tue Sep 18 10:58:45 UTC 2007


Mark Santcroos wrote:
> Hi Farkas,
> 
> Farkas Levente wrote:
>> Mark Santcroos wrote:
>>>> Or even make it implicit to always
>>>> allow this from localhost (f you can't trust localhost, you have more
>>>> problems)
>>> For security reasons, and no really good reasons in favour of it, we
>>> won't make it trust localhost by default.
>> can you explain it a little bit more detailed?
> 
> On multiuser systems you can't (always) trust access from localhost.
> 
> In theory, accepting notifies should indeed not be a problem, but
> because it accepts packets from the wire there is always a chance that
> there is a bug in the handling of it.
> 
> Therefore we don't want to make that the default for everyone.
> 
> Does this make it more clear?

hmm;-) ok i know that, but you assume someone how run nsd on a server
which has user how send so much fake notify to which can cause problem?
and if it's accept notify from anywhere than if the handling is buggy it
still the same problem since the remote system is also can be multiuser
what's more probably this system owner has less control/knowladge over
the other system than his own system.

-- 
  Levente                               "Si vis pacem para bellum!"



More information about the nsd-users mailing list