On Fri, Aug 08, 2014 at 01:24:50PM +0200, Mateusz Jończyk wrote: > Hello, > The man page for nss-myhostname: > http://www.freedesktop.org/software/systemd/man/nss-myhostname.html > suggests that myhostname should be used as a last entry in > /etc/nsswitch.conf: > "It is recommended to put myhostname last in the nsswitch.conf line to > make sure that this mapping is only used as fallback, and any DNS or > /etc/hosts based mapping takes precedence." > > This may be risky because an attacker that knows the system hostname and > can control DNS query results (by MITM attacks, i.e. after breaking into > a home gateway) is able to redirect requests to the local host to a > machine of his control. > > For example if I opened "http://mateusz-ubuntu:631"; in a web browser, > and logged in there, an attacker could gain access to my CUPS user pasword. > > On the other hand, an attacker that is able to listen to DNS queries can > get knowledge of the local hostname (because it usually does not contain > any dots) and that way identify a person behind a particular IP address > (and/or gain some knowledge of his software / hardware - for example my > hostname is mateusz-ubuntu). We discussed this recently [1]. The idea is that the hostname is controlled by the dns admin. There's certain logic to this, and its the way that things have always worked.
OTOH, maybe a documentation patch explaining the situation would not be bad. [1] http://www.mail-archive.com/[email protected]/msg21345.html Zbyszek _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
