Re: localhost.localdomain
On Fri, Oct 07, 2005 at 07:10:07AM +0200, Stig Sandbeck Mathisen wrote:
> Changing the canonical name of localhost is an arbitrary change that
> breaks more than MySQL. It also violates the principle of least
> astonishment.
Then fix those other broken things as well. If you want localhost-style
authentication, you _should_ do the comparison on the IP address rather
than the resolved name for several reasons:
- The IP address range for the loopback interface is standardized
(127.0.0.0/8). The value returned by the reverse lookup is not.
- Doing the reverse lookup may introduce an attack vector because it
relies on the whole NSS being configured right. Avoiding the reverse
lookup avoids this attack vector.
- Doing the reverse lookup is just unneccessary, avoiding it saves CPU
cycles (this may be important if you want to serve lots of
connection attempts)
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
Reply to: