Problems with name lookups for host-based access control

[Roger Leigh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A few weeks ago I posted a problem I'd seen with allowing access like
this:

HostNameLookups On

<Location />
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From *.whinlatter.ukfsn.org
</Location>

<Location /admin>
AuthType Basic
AuthClass System
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From *.whinlatter.ukfsn.org
</Location>

In this case, all hosts in the whinlatter.ukfsn.org. domain are
allowed access.  A DNS server on the local network provides forward
and reverse lookups for all hosts, and this works correctly for all
machines /other than/ the server itself.

In this case, the server is whinlatter.whinlatter.ukfsn.org, and a
peer is wrynose.whinlatter.ukfsn.org.  I can access all normal and
admin pages from wrynose, but not whinlatter (except via the
localhost), i.e. http://whinlatter:631/.

The reason for this is how cupsd is doing name lookups.  For other
machines, it returns and logs the FQDN, but for the local machine it
only returns the hostname.  This is because the value it's getting is
the same as that returned by

  uname -n

rather than that returned by

  hostname -f

(on GNU/Linux).  Setting the hostname to the FQDN ("hostname
whinlatter.whinlatter.ukfsn.org") makes the host name lookups work for
the local machine as well.  Since all the machines use DHCP, this
isn't too desirable, since the domain isn't fixed.

Could cupsd be taught to do name lookups the other way (IIRC
gethostbyname() should do it)?


Regards,
Roger

- -- 
Roger Leigh

                Printing on GNU/Linux?  http://gimp-print.sourceforge.net/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFBf++lVcFcaSW/uEgRAmqXAJ9RaCAJ3diIGqwoyzL6KaMNceayhACdFb8z
tK2ow4HVAmQNOd5AlmLqt2w=
=PcYD
-----END PGP SIGNATURE-----