lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-29 11:41:21 +03:00
Code Activity

Fix ruserok scalability with large ~/.rhosts file.

Browse Source 
Fixes bug 18557.

The ruserok API does hosts checks first while it walks the
user's ~/.rhosts file. This results in lots of DNS queries
that could have been skipped if we short-circuit test the
user portion first to see if would have had a failed match.

This supports configurations where rlogin is used on internal
secure networks with large numbers of users and machines.

The Red Hat QE team did extensive testing on various rlogin
combinations to validate this change, and in fact we found
a defect in the first version which is fixed in this version.
This commit is contained in:
Carlos O'Donell
2015-07-08 02:42:11 -04:00
parent 02d5e5d94a
commit 8b59c73386
3 changed files with 51 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2015-06-18 Carlos O'Donell <carlos@redhat.com>
[BZ #18557]
* inet/rcmd.c (__validuser2_sa): Check user first to
short-circuit host check.
2015-07-07 Pavel Kopyl <p.kopyl@samsung.com> 2015-07-07 Pavel Kopyl <p.kopyl@samsung.com>
Mikhail Ilin <m.ilin@samsung.com> Mikhail Ilin <m.ilin@samsung.com>

36
NEWS
View File

@ -9,24 +9,24 @@ Version 2.22
* The following bugs are resolved with this release: * The following bugs are resolved with this release:
438, 4719, 6792, 13028, 13064, 14094, 14841, 14906, 14958, 15319, 15467, 438, 4719, 6792, 13028, 13064, 14094, 14841, 14906, 14958, 15319,
15790, 15969, 16159, 16339, 16350, 16351, 16352, 16353, 16361, 16512, 15467, 15790, 15969, 16159, 16339, 16350, 16351, 16352, 16353, 16361,
16526, 16538, 16559, 16560, 16704, 16783, 16850, 17053, 17090, 17195, 16512, 16526, 16538, 16559, 16560, 16704, 16783, 16850, 17053, 17090,
17269, 17293, 17322, 17403, 17523, 17542, 17569, 17581, 17588, 17596, 17195, 17269, 17293, 17322, 17403, 17523, 17542, 17569, 17581, 17588,
17620, 17621, 17628, 17631, 17692, 17711, 17715, 17776, 17779, 17792, 17596, 17620, 17621, 17628, 17631, 17692, 17711, 17715, 17776, 17779,
17833, 17836, 17841, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17792, 17833, 17836, 17841, 17912, 17916, 17930, 17932, 17944, 17949,
17965, 17967, 17969, 17977, 17978, 17987, 17991, 17996, 17998, 17999, 17964, 17965, 17967, 17969, 17977, 17978, 17987, 17991, 17996, 17998,
18007, 18019, 18020, 18029, 18030, 18032, 18034, 18036, 18038, 18039, 17999, 18007, 18019, 18020, 18029, 18030, 18032, 18034, 18036, 18038,
18042, 18043, 18046, 18047, 18049, 18068, 18080, 18093, 18100, 18104, 18039, 18042, 18043, 18046, 18047, 18049, 18068, 18080, 18093, 18100,
18110, 18111, 18116, 18125, 18128, 18138, 18185, 18196, 18197, 18206, 18104, 18110, 18111, 18116, 18125, 18128, 18138, 18185, 18196, 18197,
18210, 18211, 18217, 18219, 18220, 18221, 18234, 18244, 18245, 18247, 18206, 18210, 18211, 18217, 18219, 18220, 18221, 18234, 18244, 18245,
18287, 18319, 18324, 18333, 18346, 18371, 18397, 18409, 18410, 18412, 18247, 18287, 18319, 18324, 18333, 18346, 18371, 18397, 18409, 18410,
18418, 18422, 18434, 18435, 18444, 18468, 18469, 18470, 18479, 18483, 18412, 18418, 18422, 18434, 18435, 18444, 18468, 18469, 18470, 18479,
18495, 18496, 18497, 18498, 18502, 18507, 18508, 18512, 18513, 18519, 18483, 18495, 18496, 18497, 18498, 18502, 18507, 18508, 18512, 18513,
18520, 18522, 18527, 18528, 18529, 18530, 18532, 18533, 18534, 18536, 18519, 18520, 18522, 18527, 18528, 18529, 18530, 18532, 18533, 18534,
18539, 18540, 18542, 18544, 18545, 18546, 18547, 18549, 18553, 18558, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547, 18549, 18553,
18569, 18583, 18585, 18586, 18592, 18593, 18594, 18602, 18612, 18613, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593, 18594, 18602,
18619, 18633. 18612, 18613, 18619, 18633.
* Cache information can be queried via sysconf() function on s390 e.g. with * Cache information can be queried via sysconf() function on s390 e.g. with
_SC_LEVEL1_ICACHE_SIZE as argument. _SC_LEVEL1_ICACHE_SIZE as argument.

42
inet/rcmd.c
View File

@ -809,31 +809,43 @@ __validuser2_sa(hostf, ra, ralen, luser, ruser, rhost)
*p = '\0'; /* <nul> terminate username (+host?) */ *p = '\0'; /* <nul> terminate username (+host?) */
/* buf -> host(?) ; user -> username(?) */ /* buf -> host(?) ; user -> username(?) */
if (*buf == '\0')
break;
if (*user == '\0')
user = luser;
/* First check host part */ /* First check the user part. In a naive implementation we
hcheck = __checkhost_sa (ra, ralen, buf, rhost); would check the host part first, then the user. However,
if we check the user first and reject the entry we will
have saved doing any host lookups to normalize the comparison
and that likely saves several DNS queries. Therefore we
check the user first. */
ucheck = __icheckuser (user, ruser);
if (hcheck < 0) /* Either we found the user, or we didn't and this is a
break; negative host check. We must do the negative host lookup
in order to preserve the semantics of stopping on this line
before processing others. */
if (ucheck != 0 || *buf == '-') {
if (hcheck) { /* Next check host part. */
/* Then check user part */ hcheck = __checkhost_sa (ra, ralen, buf, rhost);
if (! (*user))
user = luser;
ucheck = __icheckuser (user, ruser); /* Negative '-host user(?)' match? */
if (hcheck < 0)
break;
/* Positive 'host user' match? */ /* Positive 'host user' match? */
if (ucheck > 0) { if (hcheck > 0 && ucheck > 0) {
retval = 0; retval = 0;
break; break;
} }
/* Negative 'host -user' match? */ /* Negative 'host -user' match? */
if (ucheck < 0) if (hcheck > 0 && ucheck < 0)
break; break;
/* Neither, go on looking for match */ /* Neither, go on looking for match. */
} }
} }