host.conf.5: spoof deprecated ?

host.conf.5: spoof deprecated ?

[Stéphane Aulery]

** COPY OF GLIBC BUGZILLA #18091 FOR INFORMATION **
https://sourceware.org/bugzilla/show_bug.cgi?id=18091

-----------------------------------------------------

Hello,

A Debian user reported that [1]:

> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
> they are still valid keywords but do not have any effect apparently,
> no libraries or tools use them
> 
> it is misleading to see references to resolv+ and rlogin, the keywords
> are just ignored these days; the only meaning they have is that they
> are
> allowed by host.conf syntax

The glibc source code seems to confirm that the keywords nospoof,
spoofalert and spoof are accepted but without effects. I could find
nothing in the changelog. Could you please confirm that they are
obsolete? I could correct the man page accordingly.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443

Regards,

-- 
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: host.conf.5: spoof deprecated ?

[Michael Kerrisk (man-pages)]

Hello Stéphane

On 03/08/2015 02:05 PM, Stéphane Aulery wrote:
> ** COPY OF GLIBC BUGZILLA #18091 FOR INFORMATION **
> https://sourceware.org/bugzilla/show_bug.cgi?id=18091
> 
> -----------------------------------------------------
> 
> Hello,
> 
> A Debian user reported that [1]:
> 
>> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
>> they are still valid keywords but do not have any effect apparently,
>> no libraries or tools use them
>>
>> it is misleading to see references to resolv+ and rlogin, the keywords
>> are just ignored these days; the only meaning they have is that they
>> are
>> allowed by host.conf syntax
> 
> The glibc source code seems to confirm that the keywords nospoof,
> spoofalert and spoof are accepted but without effects. I could find
> nothing in the changelog. Could you please confirm that they are
> obsolete? I could correct the man page accordingly.

I had a quick grep in the glibc source code.

It appears that you (and the reporter) are correct. (Even back in 
glibc 2.1, things look the same).

A patch would be appreciated!

Cheers,

Michael

PS For reports like this, when you've checked things, it would speed 
things a little to note how you deduced your info (e.g., reference 
to source file and function).



> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: host.conf.5: spoof deprecated ?

[Stéphane Aulery]

Le lundi 09 mars 2015 à 08:22:01, Michael Kerrisk (man-pages) a écrit :
> Hello Stéphane
> 
> On 03/08/2015 02:05 PM, Stéphane Aulery wrote:
> > ** COPY OF GLIBC BUGZILLA #18091 FOR INFORMATION **
> > https://sourceware.org/bugzilla/show_bug.cgi?id=18091
> > 
> > -----------------------------------------------------
> > 
> > Hello,
> > 
> > A Debian user reported that [1]:
> > 
> >> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
> >> they are still valid keywords but do not have any effect apparently,
> >> no libraries or tools use them
> >>
> >> it is misleading to see references to resolv+ and rlogin, the keywords
> >> are just ignored these days; the only meaning they have is that they
> >> are
> >> allowed by host.conf syntax
> > 
> > The glibc source code seems to confirm that the keywords nospoof,
> > spoofalert and spoof are accepted but without effects. I could find
> > nothing in the changelog. Could you please confirm that they are
> > obsolete? I could correct the man page accordingly.
> 
> I had a quick grep in the glibc source code.
> 
> It appears that you (and the reporter) are correct. (Even back in 
> glibc 2.1, things look the same).
> 
> A patch would be appreciated!

Eventually, I may check others values too.
Do you to want to drop obsolete values or add a note ?

Cheers,

-- 
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: host.conf.5: spoof deprecated ?

[Michael Kerrisk (man-pages)]

On 03/09/2015 08:59 AM, Stéphane Aulery wrote:
> Le lundi 09 mars 2015 à 08:22:01, Michael Kerrisk (man-pages) a écrit :
>> Hello Stéphane
>>
>> On 03/08/2015 02:05 PM, Stéphane Aulery wrote:
>>> ** COPY OF GLIBC BUGZILLA #18091 FOR INFORMATION **
>>> https://sourceware.org/bugzilla/show_bug.cgi?id=18091
>>>
>>> -----------------------------------------------------
>>>
>>> Hello,
>>>
>>> A Debian user reported that [1]:
>>>
>>>> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
>>>> they are still valid keywords but do not have any effect apparently,
>>>> no libraries or tools use them
>>>>
>>>> it is misleading to see references to resolv+ and rlogin, the keywords
>>>> are just ignored these days; the only meaning they have is that they
>>>> are
>>>> allowed by host.conf syntax
>>>
>>> The glibc source code seems to confirm that the keywords nospoof,
>>> spoofalert and spoof are accepted but without effects. I could find
>>> nothing in the changelog. Could you please confirm that they are
>>> obsolete? I could correct the man page accordingly.
>>
>> I had a quick grep in the glibc source code.
>>
>> It appears that you (and the reporter) are correct. (Even back in 
>> glibc 2.1, things look the same).
>>
>> A patch would be appreciated!
> 
> Eventually, I may check others values too.
> Do you to want to drop obsolete values or add a note ?

Best to keep a note that they exist, but do nothing.

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: host.conf.5: spoof deprecated ?

[Stéphane Aulery]

Hello Michael,

Le lundi 09 mars 2015 à 10:03:09, Michael Kerrisk (man-pages) a écrit :
> On 03/09/2015 08:59 AM, Stéphane Aulery wrote:
> > Le lundi 09 mars 2015 à 08:22:01, Michael Kerrisk (man-pages) a écrit :
> >>
> >> On 03/08/2015 02:05 PM, Stéphane Aulery wrote:
> >>>
> >>> A Debian user reported that [1]:
> >>>
> >>>> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
> >>>> they are still valid keywords but do not have any effect apparently,
> >>>> no libraries or tools use them
> >>>>
> >>>> it is misleading to see references to resolv+ and rlogin, the keywords
> >>>> are just ignored these days; the only meaning they have is that they
> >>>> are
> >>>> allowed by host.conf syntax
> >>>
> >>> The glibc source code seems to confirm that the keywords nospoof,
> >>> spoofalert and spoof are accepted but without effects. I could find
> >>> nothing in the changelog. Could you please confirm that they are
> >>> obsolete? I could correct the man page accordingly.
> >>
> >> I had a quick grep in the glibc source code.
> >>
> >> It appears that you (and the reporter) are correct. (Even back in 
> >> glibc 2.1, things look the same).
> >>
> >> A patch would be appreciated!

I dug a little further comparing versions 2.0.6 [1], 2.0.7 [2]
and trunk [3] of glibc and I come to a different conclusion.

The keywords nospoof, spoofalert, spoof and RESOLV_SPOOF_CHECK were
added to glibc 2.0.7 but never implemented and documented in the
changelog.

[1] http://ftp.gnu.org/gnu/glibc/glibc-2.0.6.tar.gz
[2] http://archive.debian.org/debian/dists/hamm/main/source/libs/glibc_2.0.7t.orig.tar.gz
[3] https://sourceware.org/git/?p=glibc.git&a=search&h=HEAD&st=grep&s=spoof&sr=1

Regards,

-- 
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] host.conf.5: keywords and env. var. nospoof, spoofalert, spoof and RESOLV_SPOOF_CHECK were added to glibc 2.0.7 but never implemented

[Stéphane Aulery]

Move descriptions to historical section and reorder it for clarity

Debian Bug #773443 reported by ygrex-dSU6fMGyTqw@public.gmane.org

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443
Signed-off-by: Stéphane Aulery <saulery-GANU6spQydw@public.gmane.org>
---
 man5/host.conf.5 | 125 ++++++++++++++++++++++++++++---------------------------
 1 file changed, 63 insertions(+), 62 deletions(-)

diff --git a/man5/host.conf.5 b/man5/host.conf.5
index 9ff2ed3..08da435 100644
--- a/man5/host.conf.5
+++ b/man5/host.conf.5
@@ -66,52 +66,6 @@ This is
 by default, as it may cause a substantial performance loss at sites
 with large hosts files.
 .TP
-.I nospoof
-Valid values are
-.IR on " and " off .
-If set to
-.IR on ,
-the resolv+ library will attempt to prevent hostname spoofing to
-enhance the security of
-.BR rlogin " and " rsh .
-It works as follows: after performing a host address lookup, resolv+
-will perform a hostname lookup for that address.
-If the two hostnames
-do not match, the query will fail.
-The default value is
-.IR off .
-.TP
-.I spoofalert
-Valid values are
-.IR on " and " off .
-If this option is set to
-.I on
-and the
-.I nospoof
-option is also set, resolv+ will log a warning of the error via the
-syslog facility.
-The default value is
-.IR off .
-.TP
-.I spoof
-Valid values are
-.IR off ", " nowarn " and " warn .
-If this option is set to
-.IR off ,
-spoofed addresses are permitted and no warnings will be emitted
-via the syslog facility.
-If this option is set to
-.IR warn ,
-resolv+ will attempt to prevent hostname spoofing to
-enhance the security and log a warning of the error via the syslog
-facility.
-If this option is set to
-.IR nowarn ,
-the resolv+ library will attempt to prevent hostname spoofing to
-enhance the security but not emit warnings via the syslog facility.
-Setting this option to anything else is equal to setting it to
-.IR nowarn .
-.TP
 .I reorder
 Valid values are
 .IR on " and " off .
@@ -133,15 +87,6 @@ override the behavior which is configured in
 If set, this variable points to a file that should be read instead of
 .IR /etc/host.conf .
 .TP
-.B RESOLV_SPOOF_CHECK
-Overrides the
-.IR nospoof ", " spoofalert " and " spoof
-commands in the same way as the
-.I spoof
-command is parsed.
-Valid values are
-.IR off ", " nowarn " and " warn .
-.TP
 .B RESOLV_MULTI
 Overrides the
 .I multi
@@ -184,6 +129,10 @@ can take arguments like
 .IR off ", " nowarn " and " warn .
 Line comments can appear anywhere and not only at the beginning of a line.
 .SS Historical
+The
+.BR nsswitch.conf (5)
+file is the modern way of controlling the order of host lookups.
+.PP
 In glibc 2.4 and earlier, the following keyword is recognized:
 .TP
 .I order
@@ -191,15 +140,67 @@ This keyword specifies how host lookups are to be performed.
 It should be followed by one or more lookup methods, separated by commas.
 Valid methods are
 .IR bind ", " hosts ", and " nis .
-The
+.TP
 .B RESOLV_SERV_ORDER
-environment variable could be used to override the
-.I order
-command.
+Overrides the order command.
 .PP
-The
-.BR nsswitch.conf (5)
-file is the modern way of controlling the order of host lookups.
+Since glibc 2.0.7, the following keywords and environment variable have
+been recognized but never implemented:
+.TP
+.I nospoof
+Valid values are
+.IR on " and " off .
+If set to
+.IR on ,
+the resolv+ library will attempt to prevent hostname spoofing to
+enhance the security of
+.BR rlogin " and " rsh .
+It works as follows: after performing a host address lookup, resolv+
+will perform a hostname lookup for that address.
+If the two hostnames
+do not match, the query will fail.
+The default value is
+.IR off .
+.TP
+.I spoofalert
+Valid values are
+.IR on " and " off .
+If this option is set to
+.I on
+and the
+.I nospoof
+option is also set, resolv+ will log a warning of the error via the
+syslog facility.
+The default value is
+.IR off .
+.TP
+.I spoof
+Valid values are
+.IR off ", " nowarn " and " warn .
+If this option is set to
+.IR off ,
+spoofed addresses are permitted and no warnings will be emitted
+via the syslog facility.
+If this option is set to
+.IR warn ,
+resolv+ will attempt to prevent hostname spoofing to
+enhance the security and log a warning of the error via the syslog
+facility.
+If this option is set to
+.IR nowarn ,
+the resolv+ library will attempt to prevent hostname spoofing to
+enhance the security but not emit warnings via the syslog facility.
+Setting this option to anything else is equal to setting it to
+.IR nowarn .
+.TP
+.B RESOLV_SPOOF_CHECK
+Overrides the
+.IR nospoof ", " spoofalert " and " spoof
+commands in the same way as the
+.I spoof
+command is parsed.
+Valid values are
+.IR off ", " nowarn " and " warn .
 .SH SEE ALSO
 .BR gethostbyname (3),
 .BR hosts (5),
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: host.conf.5: spoof deprecated ?

[Michael Kerrisk (man-pages)]

Hello Stéphane,

On 10 March 2015 at 00:26, Stéphane Aulery <saulery-GANU6spQydw@public.gmane.org> wrote:
> Hello Michael,
>
> Le lundi 09 mars 2015 à 10:03:09, Michael Kerrisk (man-pages) a écrit :
>> On 03/09/2015 08:59 AM, Stéphane Aulery wrote:
>> > Le lundi 09 mars 2015 à 08:22:01, Michael Kerrisk (man-pages) a écrit :
>> >>
>> >> On 03/08/2015 02:05 PM, Stéphane Aulery wrote:
>> >>>
>> >>> A Debian user reported that [1]:
>> >>>
>> >>>> spoof* keywords (nospoof, spoofalert, spoof) are here from 1996,
>> >>>> they are still valid keywords but do not have any effect apparently,
>> >>>> no libraries or tools use them
>> >>>>
>> >>>> it is misleading to see references to resolv+ and rlogin, the keywords
>> >>>> are just ignored these days; the only meaning they have is that they
>> >>>> are
>> >>>> allowed by host.conf syntax
>> >>>
>> >>> The glibc source code seems to confirm that the keywords nospoof,
>> >>> spoofalert and spoof are accepted but without effects. I could find
>> >>> nothing in the changelog. Could you please confirm that they are
>> >>> obsolete? I could correct the man page accordingly.
>> >>
>> >> I had a quick grep in the glibc source code.
>> >>
>> >> It appears that you (and the reporter) are correct. (Even back in
>> >> glibc 2.1, things look the same).
>> >>
>> >> A patch would be appreciated!
>
> I dug a little further comparing versions 2.0.6 [1], 2.0.7 [2]
> and trunk [3] of glibc and I come to a different conclusion.
>
> The keywords nospoof, spoofalert, spoof and RESOLV_SPOOF_CHECK were
> added to glibc 2.0.7 but never implemented and documented in the
> changelog.

Perfect -- that's exactly the sort of detail it's great to have in man-pages!

Cheers,

Michael


> [1] http://ftp.gnu.org/gnu/glibc/glibc-2.0.6.tar.gz
> [2] http://archive.debian.org/debian/dists/hamm/main/source/libs/glibc_2.0.7t.orig.tar.gz
> [3] https://sourceware.org/git/?p=glibc.git&a=search&h=HEAD&st=grep&s=spoof&sr=1
>
> Regards,
>
> --
> Stéphane Aulery



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: [PATCH] host.conf.5: keywords and env. var. nospoof, spoofalert, spoof and RESOLV_SPOOF_CHECK were added to glibc 2.0.7 but never implemented

[Michael Kerrisk (man-pages)]

On 03/10/2015 12:27 AM, Stéphane Aulery wrote:
> Move descriptions to historical section and reorder it for clarity

Thanks, Stéphane.

Applied. But please make patch titles shorter (<72 chars) --move text 
to the body of the commit message as needed.

Thanks,

Michael


> Debian Bug #773443 reported by ygrex-dSU6fMGyTqw@public.gmane.org
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773443
> Signed-off-by: Stéphane Aulery <saulery-GANU6spQydw@public.gmane.org>
> ---
>  man5/host.conf.5 | 125 ++++++++++++++++++++++++++++---------------------------
>  1 file changed, 63 insertions(+), 62 deletions(-)
> 
> diff --git a/man5/host.conf.5 b/man5/host.conf.5
> index 9ff2ed3..08da435 100644
> --- a/man5/host.conf.5
> +++ b/man5/host.conf.5
> @@ -66,52 +66,6 @@ This is
>  by default, as it may cause a substantial performance loss at sites
>  with large hosts files.
>  .TP
> -.I nospoof
> -Valid values are
> -.IR on " and " off .
> -If set to
> -.IR on ,
> -the resolv+ library will attempt to prevent hostname spoofing to
> -enhance the security of
> -.BR rlogin " and " rsh .
> -It works as follows: after performing a host address lookup, resolv+
> -will perform a hostname lookup for that address.
> -If the two hostnames
> -do not match, the query will fail.
> -The default value is
> -.IR off .
> -.TP
> -.I spoofalert
> -Valid values are
> -.IR on " and " off .
> -If this option is set to
> -.I on
> -and the
> -.I nospoof
> -option is also set, resolv+ will log a warning of the error via the
> -syslog facility.
> -The default value is
> -.IR off .
> -.TP
> -.I spoof
> -Valid values are
> -.IR off ", " nowarn " and " warn .
> -If this option is set to
> -.IR off ,
> -spoofed addresses are permitted and no warnings will be emitted
> -via the syslog facility.
> -If this option is set to
> -.IR warn ,
> -resolv+ will attempt to prevent hostname spoofing to
> -enhance the security and log a warning of the error via the syslog
> -facility.
> -If this option is set to
> -.IR nowarn ,
> -the resolv+ library will attempt to prevent hostname spoofing to
> -enhance the security but not emit warnings via the syslog facility.
> -Setting this option to anything else is equal to setting it to
> -.IR nowarn .
> -.TP
>  .I reorder
>  Valid values are
>  .IR on " and " off .
> @@ -133,15 +87,6 @@ override the behavior which is configured in
>  If set, this variable points to a file that should be read instead of
>  .IR /etc/host.conf .
>  .TP
> -.B RESOLV_SPOOF_CHECK
> -Overrides the
> -.IR nospoof ", " spoofalert " and " spoof
> -commands in the same way as the
> -.I spoof
> -command is parsed.
> -Valid values are
> -.IR off ", " nowarn " and " warn .
> -.TP
>  .B RESOLV_MULTI
>  Overrides the
>  .I multi
> @@ -184,6 +129,10 @@ can take arguments like
>  .IR off ", " nowarn " and " warn .
>  Line comments can appear anywhere and not only at the beginning of a line.
>  .SS Historical
> +The
> +.BR nsswitch.conf (5)
> +file is the modern way of controlling the order of host lookups.
> +.PP
>  In glibc 2.4 and earlier, the following keyword is recognized:
>  .TP
>  .I order
> @@ -191,15 +140,67 @@ This keyword specifies how host lookups are to be performed.
>  It should be followed by one or more lookup methods, separated by commas.
>  Valid methods are
>  .IR bind ", " hosts ", and " nis .
> -The
> +.TP
>  .B RESOLV_SERV_ORDER
> -environment variable could be used to override the
> -.I order
> -command.
> +Overrides the order command.
>  .PP
> -The
> -.BR nsswitch.conf (5)
> -file is the modern way of controlling the order of host lookups.
> +Since glibc 2.0.7, the following keywords and environment variable have
> +been recognized but never implemented:
> +.TP
> +.I nospoof
> +Valid values are
> +.IR on " and " off .
> +If set to
> +.IR on ,
> +the resolv+ library will attempt to prevent hostname spoofing to
> +enhance the security of
> +.BR rlogin " and " rsh .
> +It works as follows: after performing a host address lookup, resolv+
> +will perform a hostname lookup for that address.
> +If the two hostnames
> +do not match, the query will fail.
> +The default value is
> +.IR off .
> +.TP
> +.I spoofalert
> +Valid values are
> +.IR on " and " off .
> +If this option is set to
> +.I on
> +and the
> +.I nospoof
> +option is also set, resolv+ will log a warning of the error via the
> +syslog facility.
> +The default value is
> +.IR off .
> +.TP
> +.I spoof
> +Valid values are
> +.IR off ", " nowarn " and " warn .
> +If this option is set to
> +.IR off ,
> +spoofed addresses are permitted and no warnings will be emitted
> +via the syslog facility.
> +If this option is set to
> +.IR warn ,
> +resolv+ will attempt to prevent hostname spoofing to
> +enhance the security and log a warning of the error via the syslog
> +facility.
> +If this option is set to
> +.IR nowarn ,
> +the resolv+ library will attempt to prevent hostname spoofing to
> +enhance the security but not emit warnings via the syslog facility.
> +Setting this option to anything else is equal to setting it to
> +.IR nowarn .
> +.TP
> +.B RESOLV_SPOOF_CHECK
> +Overrides the
> +.IR nospoof ", " spoofalert " and " spoof
> +commands in the same way as the
> +.I spoof
> +command is parsed.
> +Valid values are
> +.IR off ", " nowarn " and " warn .
>  .SH SEE ALSO
>  .BR gethostbyname (3),
>  .BR hosts (5),
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Bug#773443: [PATCH] host.conf.5: keywords and env. var. nospoof, spoofalert, spoof and RESOLV_SPOOF_CHECK were added to glibc 2.0.7 but never implemented

[Stéphane Aulery]

Le mardi 10 mars 2015 à 07:20:51, Michael Kerrisk (man-pages) a écrit :
> On 03/10/2015 12:27 AM, Stéphane Aulery wrote:
> > Move descriptions to historical section and reorder it for clarity
> 
> Thanks, Stéphane.
> 
> Applied. But please make patch titles shorter (<72 chars) --move text 
> to the body of the commit message as needed.

Ok, I will.

-- 
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html