| Summary: | msec keeps making /etc/host.conf incompatible with latest glibc | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | w unruh <unruh> |
| Component: | RPM Packages | Assignee: | All Packagers <pkg-bugs> |
| Status: | RESOLVED INVALID | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lewyssmith, mageia |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | msec-2.7-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
w unruh
2020-02-24 01:24:11 CET
glibc-2.29/resolv/res_hconf.c
...
static const struct cmd
{
const char name[11];
uint8_t cb;
unsigned int arg;
} cmd[] =
{
{"order", CB_none, 0},
{"trim", CB_arg_trimdomain_list, 0},
{"multi", CB_arg_bool, HCONF_FLAG_MULTI},
{"reorder", CB_arg_bool, HCONF_FLAG_REORDER}
};
Note no "spoof" command.
See also
static void
parse_line (const char *fname, int line_num, const char *str)
Thank you for pointing this out. It would be nice to confirm:
> msec, I believe, is changing /etc/host.conf to insert the antispoofing lines
for example by cleaning the file of the offending lines, awaiting a pass of msec, then showing the altered file.
Certainly there is no justification for having at all the keywords:
nospoof
spoofalert
spoof
because as you point out, "Since glibc 2.0.7, the following keywords ... have been recognized but never implemented". And are no longer even recognised.
msec has no registered nor evident maintainer, so assigning this globally; CC'ing Raphael who did past commits for it.Assignee:
bugsquad =>
pkg-bugs Are you sure this is being done by mcc? On my Mageia 7 x86-64 system, just after cron.hourly ran ... [root@x7 ~]# cat /etc/host.conf order hosts,bind multi on [root@x7 ~]# grep -r nospoof /usr/share /usr/share/zsh/5.7.1/functions/Completion/Solaris/_dladm: 'protection:value:(mac-nospoof ip-nospoof dhcp-nospoof restricted)' /usr/share/vim/syntax/hostconf.vim: \ nospoof msec is installed, and ran it's hourly checks. CC:
(none) =>
davidwhodgins Hi, Is your system a fresh install ? Upgraded from which version ? Can you provide the content of at least : /etc/host.conf /etc/security/msec/security.conf Can you provide too the content of the : /etc/security/msec/$BASE_LEVEL And all modified files in /etc returned by : $ rpm -V msec Can you provide the result of : $ rpm -qa | sort | uniq To find which files are modified on your system : # rpm -Va On my server a mageia 7 x86_64 too system, I have : $ cat /etc/host.conf order hosts,bind multi on My /etc/security/msec/security.conf content : BASE_LEVEL=webserver I have : $ rpm -q glibc msec systemd glibc-2.29-19.mga7 msec-2.7-1.mga7 systemd-241-8.5.mga7 Don't see a problem with my msec.hourly or anything in my case... Best regards Yes, it is definitely being done by msec. It is the "SPOOF" entries in /etc/security/msec/level* entries: ENABLE_DNS_SPOOFING_PROTECTION=
and ENABLE_IP_SPOOFING_PROTECTION=.
which is implemented in /usr/share/msec/network.py
>grep hostconf /usr/share/msec/plugins *
network.py: hostconf = self.configfiles.get_config_file(HOSTCONF)
network.py: val = hostconf.get_match('nospoof\s+on')
network.py: hostconf.replace_line_matching('nospoof', 'nospoof on', 1)
network.py: hostconf.replace_line_matching('spoofalert', 'spoofalert on', (alert != 0))
network.py: hostconf.remove_line_matching('nospoof')
network.py: hostconf.remove_line_matching('spoofalert')
Just as examples.
(In reply to Raphael Gertz from comment #4) > My /etc/security/msec/security.conf content : > BASE_LEVEL=webserver webserver level has the SPOOF items turned off. standard, secure, as examples have them turned on. But these SPOOF items do not belong there at all since those items in host.conf were never implemented in glibc anyway, and now they give error messages. @Dave Would you like to cross-check comment 6? @Raphael Thanks for your intervention. (In reply to w unruh from comment #5) > Yes, it is definitely being done by msec. It is the "SPOOF" entries in > /etc/security/msec/level* entries: ENABLE_DNS_SPOOFING_PROTECTION= > and ENABLE_IP_SPOOFING_PROTECTION=. > > which is implemented in /usr/share/msec/network.py > > >grep hostconf /usr/share/msec/plugins * > network.py: hostconf = self.configfiles.get_config_file(HOSTCONF) # grep -iIr hostconf /usr/share/msec /usr/share/msec/plugins/msec.py:HOSTCONF = '/etc/host.conf' /usr/share/msec/plugins/network.py:HOSTCONF = '/etc/host.conf' # rpm -q -f /usr/share/msec/plugins/network.py msec-2.7-1.mga7 What is the output of "rpm -q msec"? info:14.0[unruh]>rpm -q msec msec-2.7-1.mga7 Given your grep output, I have reinstalled msec, just in case I replaced the files with the ones from Mga5. I do not remember doing so. Now I do not find that hostconf lines after reinstallation. Sorry, this might have been a wild goose chase after all. Closing the bug Status:
NEW =>
RESOLVED |