This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Fix ruserok scalability with large ~/.rhosts file.


On 06/18/2015 11:50 AM, Carlos O'Donell wrote:
> The ruserok API does hosts checks first while it walks the
> user's ~/.rhosts file. This results in lots of DNS queries
> that could have been skipped if we short-circuit test the
> user portion first to see if would have had a failed match.
> 
> This supports configurations where rlogin is used on internal
> secure networks with large numbers of users and machines.
> 
> The Red Hat QE team did extensive testing on various rlogin
> combinations to validate this change, and in fact we found
> a defect in the first version which is fixed in this version.
> Unfortunately without installed tree + container testing we
> can't add an easy test case for this. We need to setup one
> or two systems in order to verify, and that's what we did.
> We'll get to this eventually though.
> 
> I have also updated the linux kernel man page to describe
> the configuration syntax in more detail:
> http://git.kernel.org/cgit/docs/man-pages/man-pages.git/commit/?id=427cee53f06a4be5bfd808191ecc5624d3f0240b
> (with some follow up commits)
> 
> Tested on x86-64, i686, ppc64, ppc64le, aarch64, s390, and
> s390x with no regressions.
> 
> OK?
> 
> 2015-06-18  Carlos O'Donell  <carlos@redhat.com>

	[BZ #18557]

> 	* inet/rcmd.c (__validuser2_sa): Check user first to short-circuit
> 	additional host check.

Added BZ since this is user visible behaviour.

Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]