summaryrefslogtreecommitdiff
path: root/swat2.txt
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2009-08-26 06:26:02 -0400
committerJeff Layton <jlayton@redhat.com>2009-08-26 06:26:02 -0400
commitda99e3a724b493ba47a06d0704b891819ad16647 (patch)
tree55a2bfd8341e38e642fc8d40ea4daeb481dd4c89 /swat2.txt
parent3544e685ade5b331e473c8680d42a748d9389125 (diff)
downloadsamba-da99e3a724b493ba47a06d0704b891819ad16647.tar.gz
samba-da99e3a724b493ba47a06d0704b891819ad16647.tar.bz2
samba-da99e3a724b493ba47a06d0704b891819ad16647.zip
cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get the hostname portion of a principal could open a possible attack vector. If an attacker were to gain control of DNS, then he could redirect the mount to a server of his choosing, and fix the reverse resolution to point to a hostname of his choosing (one where he has the key for the corresponding cifs/ or host/ principal). That said, we often trust DNS for other reasons and it can be useful to do so. Make the code that allows trusting DNS to be enabled by adding --trust-dns to the cifs.upcall invocation. Signed-off-by: Jeff Layton <jlayton@redhat.com>
Diffstat (limited to 'swat2.txt')
0 files changed, 0 insertions, 0 deletions