[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: localhost.localdomain

On Fri, Oct 07, 2005 at 07:10:07AM +0200, Stig Sandbeck Mathisen wrote:

> Changing the canonical name of localhost is an arbitrary change that
> breaks more than MySQL. It also violates the principle of least
> astonishment.

Then fix those other broken things as well. If you want localhost-style
authentication, you _should_ do the comparison on the IP address rather
than the resolved name for several reasons:

- The IP address range for the loopback interface is standardized
  (127.0.0.0/8). The value returned by the reverse lookup is not.
- Doing the reverse lookup may introduce an attack vector because it
  relies on the whole NSS being configured right. Avoiding the reverse
  lookup avoids this attack vector.
- Doing the reverse lookup is just unneccessary, avoiding it saves CPU
  cycles (this may be important if you want to serve lots of
  connection attempts)

Gabor

-- 
     ---------------------------------------------------------
     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences
     ---------------------------------------------------------
Reply to: