[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: localhost.localdomain

On Fri, Oct 07, 2005 at 07:10:07AM +0200, Stig Sandbeck Mathisen wrote:

> Changing the canonical name of localhost is an arbitrary change that
> breaks more than MySQL. It also violates the principle of least
> astonishment.

Then fix those other broken things as well. If you want localhost-style
authentication, you _should_ do the comparison on the IP address rather
than the resolved name for several reasons:

- The IP address range for the loopback interface is standardized
  ( The value returned by the reverse lookup is not.
- Doing the reverse lookup may introduce an attack vector because it
  relies on the whole NSS being configured right. Avoiding the reverse
  lookup avoids this attack vector.
- Doing the reverse lookup is just unneccessary, avoiding it saves CPU
  cycles (this may be important if you want to serve lots of
  connection attempts)


     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences

Reply to: