Blame SOURCES/0019-Introduce-reverse_lookup_enable-option.patch

f22e83
From 721de88621100f6ed33f1602415bc249f3ed3219 Mon Sep 17 00:00:00 2001
f22e83
From: Martin Sehnoutka <msehnout@redhat.com>
f22e83
Date: Thu, 17 Nov 2016 10:22:32 +0100
f22e83
Subject: [PATCH 19/59] Introduce reverse_lookup_enable option.
f22e83
f22e83
vsftpd can transform IP address into hostname before
f22e83
PAM authentication. You can disable it to prevent
f22e83
performance issues.
f22e83
---
f22e83
 parseconf.c   |  1 +
f22e83
 sysdeputil.c  | 14 +++++++++-----
f22e83
 tunables.c    |  2 ++
f22e83
 tunables.h    |  1 +
f22e83
 vsftpd.conf.5 |  9 +++++++++
f22e83
 5 files changed, 22 insertions(+), 5 deletions(-)
f22e83
f22e83
diff --git a/parseconf.c b/parseconf.c
f22e83
index 30df598..3e0dba4 100644
f22e83
--- a/parseconf.c
f22e83
+++ b/parseconf.c
f22e83
@@ -91,6 +91,7 @@ parseconf_bool_array[] =
f22e83
   { "mdtm_write", &tunable_mdtm_write },
f22e83
   { "lock_upload_files", &tunable_lock_upload_files },
f22e83
   { "pasv_addr_resolve", &tunable_pasv_addr_resolve },
f22e83
+  { "reverse_lookup_enable", &tunable_reverse_lookup_enable },
f22e83
   { "userlist_log", &tunable_userlist_log },
f22e83
   { "debug_ssl", &tunable_debug_ssl },
f22e83
   { "require_cert", &tunable_require_cert },
f22e83
diff --git a/sysdeputil.c b/sysdeputil.c
f22e83
index 3bbabaa..2063c87 100644
f22e83
--- a/sysdeputil.c
f22e83
+++ b/sysdeputil.c
f22e83
@@ -354,12 +354,16 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
f22e83
     return 0;
f22e83
   }
f22e83
 #ifdef PAM_RHOST
f22e83
-  sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host));
f22e83
-  host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET);
f22e83
-  if (host != (struct hostent*)0)
f22e83
-    retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name);
f22e83
-  else
f22e83
+  if (tunable_reverse_lookup_enable) {
f22e83
+    sin.sin_addr.s_addr = inet_addr(str_getbuf(p_remote_host));
f22e83
+    host = gethostbyaddr((char*)&sin.sin_addr.s_addr,sizeof(struct in_addr),AF_INET);
f22e83
+    if (host != (struct hostent*)0)
f22e83
+      retval = pam_set_item(s_pamh, PAM_RHOST, host->h_name);
f22e83
+    else
f22e83
+      retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
f22e83
+  } else {
f22e83
     retval = pam_set_item(s_pamh, PAM_RHOST, str_getbuf(p_remote_host));
f22e83
+  }
f22e83
   if (retval != PAM_SUCCESS)
f22e83
   {
f22e83
     (void) pam_end(s_pamh, retval);
f22e83
diff --git a/tunables.c b/tunables.c
f22e83
index b30fca1..c737465 100644
f22e83
--- a/tunables.c
f22e83
+++ b/tunables.c
f22e83
@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl;
f22e83
 int tunable_mdtm_write;
f22e83
 int tunable_lock_upload_files;
f22e83
 int tunable_pasv_addr_resolve;
f22e83
+int tunable_reverse_lookup_enable;
f22e83
 int tunable_userlist_log;
f22e83
 int tunable_debug_ssl;
f22e83
 int tunable_require_cert;
f22e83
@@ -213,6 +214,7 @@ tunables_load_defaults()
f22e83
   tunable_mdtm_write = 1;
f22e83
   tunable_lock_upload_files = 1;
f22e83
   tunable_pasv_addr_resolve = 0;
f22e83
+  tunable_reverse_lookup_enable = 1;
f22e83
   tunable_userlist_log = 0;
f22e83
   tunable_debug_ssl = 0;
f22e83
   tunable_require_cert = 0;
f22e83
diff --git a/tunables.h b/tunables.h
f22e83
index e44d64c..9553038 100644
f22e83
--- a/tunables.h
f22e83
+++ b/tunables.h
f22e83
@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
f22e83
 extern int tunable_mdtm_write;                /* Allow MDTM to set timestamps */
f22e83
 extern int tunable_lock_upload_files;         /* Lock uploading files */
f22e83
 extern int tunable_pasv_addr_resolve;         /* DNS resolve pasv_addr */
f22e83
+extern int tunable_reverse_lookup_enable;     /* Get hostname before pam auth */
f22e83
 extern int tunable_userlist_log;              /* Log every failed login attempt */
f22e83
 extern int tunable_debug_ssl;                 /* Verbose SSL logging */
f22e83
 extern int tunable_require_cert;              /* SSL client cert required */
f22e83
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
f22e83
index 72bb86f..fb6324e 100644
f22e83
--- a/vsftpd.conf.5
f22e83
+++ b/vsftpd.conf.5
f22e83
@@ -423,6 +423,15 @@ so you may want to disable it. For a discussion of the consequences, see
f22e83
 http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
f22e83
 (Added in v2.1.0).
f22e83
 
f22e83
+Default: YES
f22e83
+.TP
f22e83
+.B reverse_lookup_enable
f22e83
+Set to YES if you want vsftpd to transform the ip address into the hostname,
f22e83
+before pam authentication. This is useful if you use pam_access including the
f22e83
+hostname. If you want vsftpd to run on the environment where the reverse lookup
f22e83
+for some hostname is available and the name server doesn't respond for a while,
f22e83
+you should set this to NO to avoid a performance issue.
f22e83
+
f22e83
 Default: YES
f22e83
 .TP
f22e83
 .B run_as_launching_user
f22e83
-- 
f22e83
2.14.4
f22e83