This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix ruserok scalability with large ~/.rhosts file.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 18 Jun 2015 12:05:37 -0400
- Subject: Re: [PATCH] Fix ruserok scalability with large ~/.rhosts file.
- Authentication-results: sourceware.org; auth=none
- References: <5582E8CF dot 3030509 at redhat dot com>
On 06/18/2015 11:50 AM, Carlos O'Donell wrote:
> The ruserok API does hosts checks first while it walks the
> user's ~/.rhosts file. This results in lots of DNS queries
> that could have been skipped if we short-circuit test the
> user portion first to see if would have had a failed match.
>
> This supports configurations where rlogin is used on internal
> secure networks with large numbers of users and machines.
>
> The Red Hat QE team did extensive testing on various rlogin
> combinations to validate this change, and in fact we found
> a defect in the first version which is fixed in this version.
> Unfortunately without installed tree + container testing we
> can't add an easy test case for this. We need to setup one
> or two systems in order to verify, and that's what we did.
> We'll get to this eventually though.
>
> I have also updated the linux kernel man page to describe
> the configuration syntax in more detail:
> http://git.kernel.org/cgit/docs/man-pages/man-pages.git/commit/?id=427cee53f06a4be5bfd808191ecc5624d3f0240b
> (with some follow up commits)
>
> Tested on x86-64, i686, ppc64, ppc64le, aarch64, s390, and
> s390x with no regressions.
>
> OK?
>
> 2015-06-18 Carlos O'Donell <carlos@redhat.com>
[BZ #18557]
> * inet/rcmd.c (__validuser2_sa): Check user first to short-circuit
> additional host check.
Added BZ since this is user visible behaviour.
Cheers,
Carlos.