[linux-cifs-client] [PATCH] cifs.upcall: make using ip address conditional on new option
Jeff Layton
jlayton at redhat.com
Wed Aug 26 04:29:45 MDT 2009
On Wed, 19 Aug 2009 13:30:37 -0400
Jeff Layton <jlayton at redhat.com> wrote:
> Igor Mammedov pointed out that reverse resolving an IP address to get
> the hostname portion of a principal could open a possible attack
> vector. If an attacker were to gain control of DNS, then he could
> redirect the mount to a server of his choosing, and fix the reverse
> resolution to point to a hostname of his choosing (one where he has
> the key for the corresponding cifs/ or host/ principal).
>
> That said, we often trust DNS for other reasons and it can be useful
> to do so. Make the code that allows trusting DNS to be enabled by
> adding --trust-dns to the cifs.upcall invocation.
>
> Signed-off-by: Jeff Layton <jlayton at redhat.com>
> ---
> client/cifs.upcall.c | 62 ++++++++++++++++++++++++++++++++-----------------
> 1 files changed, 40 insertions(+), 22 deletions(-)
>
Pushed to samba master branch (along with a corresponding manpage update).
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list