Article delegate-en/4610 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4609@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: PERMIT Permission bug?
11 Oct 2009 08:50:12 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4609@delegate-en.ML_> on 10/10/09(18:47:20)
you NoSFeRaTU <peihqbdyi-puniz7a4ro5r.ml@ml.delegate.org> wrote:
 |On Sat, 10 Oct 2009 17:11:01 +0900 (JST)
 |feedback@delegate.org (Yutaka Sato) wrote:
 |
 | YS> I'm not sure but it might be a side effect of your configuration
 | YS> which is not shown in the log.
...
 |Problem appears with this simple config:
 |-P5555
 |SERVER=http
 |PERMIT="*:*:10.1.1.0/24"
 |
 |I found out why it happens. It is because 10.1.1.1, from which request come in
 |the example above, is the same machine where delegate is located. Other
 |computers from net can access through this delegate successfully. Anyway IMHO
 |it is weird behaviour and it is harmful, especially for vds which doesn't have
 |loopback.

I see.  I found the problem can be reproduced with "SAC=x.x.x.x" option
to simulate an access control for access from a client "x.x.x.x" as
follows.  This test does not need any change of configuration of your
existing DeleGate, nor real access, you will be able to reproduce it
as is shown easily.

(1) DeleGate/9.9.5
  % delegated SERVER=http HOSTS="xyz/{192.168.9.9,10.9.9.9}" SAC=10.9.9.9 -dh PERMIT="*:*:10.9.9.9" 

  0+0: ---- Simulated Access Control ------
  0+0: -- SAC=10.9.9.9
  0+0: [1/1] EXACT NAME MATCH: xyz += xyz ?
  0+0: [1/1] ==> 1 (PERMIT/SRC xyz)
  0+0: OK 10.9.9.9:1 => http://-:80
  0+0: ---- Simulated Access Control => OK:1 ERR:0

This example simulates a host "xyz" with two interfaces "192.168.9.9" and
"10.9.9.9". The simulated access is from "10.9.9.9" and it is permitted
as an access from "xyz" by NAME.  Note that PERMIT="*:*:10.9.9.9" implies
PERMIT="*:*:10.9.9.9,xyz" implicitly.


(2) DeleGate/9.9.5
  % delegated SERVER=http HOSTS="xyz/{192.168.9.9,10.9.9.9}" SAC=10.9.9.9 -dh PERMIT="*:*:10.9.9.0/24" 

  0+0: ---- Simulated Access Control ------
  0+0: -- SAC=10.9.9.9
  0+0: [1/1] ADDR MATCH: 192.168.9.0 += 10.9.9.0 ?
  0+0: [1/1] ==> 0 (PERMIT/SRC xyz)
  0+0: E-P: No permission: 10.9.9.9:1 => http://- (unmatch PERMIT)
  0+0: ERROR 10.9.9.9:1 => http://-:80
  0+0: ---- Simulated Access Control => OK:0 ERR:1

The address "10.9.9.9" is resolved to "xyz" and "xyz" is resolved to the
first address "192.168.9.9".  The maching is applied to the address
"192.168.9.9" and fails matching with "10.9.9.0/24".
You can change the behavior with "/a" option to apply matching by address
for the original address as bellow.


(3) DeleGate/9.9.5 with "/a" to force address-maching
  % delegated SERVER=http HOSTS="xyz/{192.168.9.9,10.9.9.9}" SAC=10.9.9.9 -dh PERMIT="*:*:10.9.9.0/24,/a" 

  0+0: ---- Simulated Access Control ------
  0+0: -- SAC=10.9.9.9
  0+0: [1/1] ADDR MATCH: 10.9.9.0 += 10.9.9.0 ?
  0+0: [1/1] ==> 1 (PERMIT/SRC xyz)
  0+0: OK 10.9.9.9:1 => http://-:80
  0+0: ---- Simulated Access Control => OK:1 ERR:0


The behavior of (2) may be strange but since it has been so long, I could
not change it.  The "/a" option in (3) seems to have been introduced in
DeleGate/8.0.5 as a solution for it.  
I'm not yet sure, but the enclosed patch may make things work
automatically as expected without affecting behaviors in ancient usages
and configurations.

(4) DeleGate/9.9.6-pre1 candidate with the enclosed patch
  % delegated SERVER=http HOSTS="xyz/{192.168.9.9,10.9.9.9}" SAC=10.9.9.9 -dh PERMIT="*:*:10.9.9.0/24" 

  0+0: ---- Simulated Access Control ------
  0+0: -- SAC=10.9.9.9
  0+0: ## 10.9.9.9 => xyz => 192.168.9.9
  [ 0]P    0:00    1 xyz/{192.168.9.9,10.9.9.9}
  0+0: ## 10.9.9.9 => xyz => 192.168.9.9/ignored
  0+0: [1/1] ADDR MATCH: 10.9.9.0 += 10.9.9.0 ?
  0+0: [1/1] ==> 1 (PERMIT/SRC xyz)
  0+0: OK 10.9.9.9:1 => http://-:80
  0+0: ---- Simulated Access Control => OK:1 ERR:0


Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** dist/src/delegate9.9.5/src/hostlist.c	Thu Sep 10 20:25:38 2009
--- ./src/hostlist.c	Sun Oct 11 17:08:27 2009
***************
*** 54,59 ****
--- 54,60 ----
  #include "ystring.h"
  #include "vsocket.h" /* for VSAddr */
  #include "dglib.h"
+ int dumpHostCache(FILE *tc);
  
  #include "hostlist.h"
  #define FILE void
***************
*** 1076,1081 ****
--- 1077,1094 ----
  		if( VA_strtoVAddr(rhostname,&Vaddrasis) ){
  			Vaddr.a_ints = Vaddrasis.a_ints;
  		}
+ 		if( VSA_strisaddr(rhostname) ){
+ 			/* 9.9.6 inconsistent resolution with/without cache */
+ 			sv1log("## %s => %s => %s\n",rhostname,primaryname,
+ 				inAddr(&Vaddr));
+ 			dumpHostCache(curLogFp());
+ 			if( VA_strtoVAddr(rhostname,&Vaddrasis) )
+ 			if( !AddrEQ(Vaddr,Vaddrasis) ){
+ 				sv1log("## %s => %s => %s/ignored\n",
+ 					rhostname,primaryname,inAddr(&Vaddr));
+ 				Vaddr.a_ints = Vaddrasis.a_ints;
+ 			}
+ 		}
  		if( primaryname[0] ){
  			hostname = primaryname;
  			if( vdom ) strcat(primaryname,vdom);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V