~/.hosts patch

[Mike Jakubik]

Brooks Davis wrote:
> On Wed, Jun 21, 2006 at 12:54:32AM -0400, Mike Jakubik wrote:
>   
>> Justin Hibbits wrote:
>>     
>>> Hey folks, got an interesting patch.  This adds a ~/.hosts file 
>>> (personal version of /etc/hosts).  It was written against 6-STABLE 
>>> about a week before 6.1 was released, and has been sitting collecting 
>>> dust for the last month and a half.  Currently it augments /etc/hosts 
>>> instead of replacing it or prepending it.  Any comments?  One 
>>> suggestion that was made was to make it an nss module so that it could 
>>> be controlled by the admin.  It probably could use some cleanup as 
>>> well, just putting it out here for proof of concept for now, and some 
>>> direction.
>>>       
>> Just what exactly is the point of having a user specified hosts file? 
>> Seems like a bad idea to me, in terms of security.
>>     
>
> It's useful for cases where you want to add shortcuts to hosts as a user
> or do interesting ssh port forwarding tricks in some weird cases where
> you must connect to localhost:port as remotehost:port due to
> client/server protocol bugs.
>
> This patch appears to only support ~/.hosts for non-suid binaries which
> is the only real security issue.  Any admin relying on host to IP
> mapping for security for ordinary users is an idiot so that case isn't
> worth worrying about.  Doing this as a separate nss module probably
> makes sense, but I personally like the feature.
>   

Of course relying on /etc/hosts entries for security alone is indeed not 
a good idea, however an Admin may choose to resolve and therefore route 
specified hostnames via /etc/hosts. The user should not be able to 
overwrite these, if this behavior is true, then it seems like a 
reasonable change to me, otherwise it not only seems to be a security 
problem, but also a breach of POLA.