From owner-freebsd-current@FreeBSD.ORG Sat Jul 5 13:40:47 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18DEB37B401 for ; Sat, 5 Jul 2003 13:40:47 -0700 (PDT) Received: from oahu.WURLDLINK.NET (oahu.wurldlink.net [66.193.144.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A7CF43FDF for ; Sat, 5 Jul 2003 13:40:46 -0700 (PDT) (envelope-from vince@oahu.WURLDLINK.NET) Received: from oahu.WURLDLINK.NET (vince@localhost.WURLDLINK.NET [127.0.0.1]) by oahu.WURLDLINK.NET (8.12.9/8.12.9) with ESMTP id h65KdnYx008609; Sat, 5 Jul 2003 10:39:54 -1000 (HST) Received: from localhost (vince@localhost)h65KdnBY008606; Sat, 5 Jul 2003 10:39:49 -1000 (HST) Date: Sat, 5 Jul 2003 10:39:49 -1000 (HST) From: Vincent Poy To: "Scot W. Hetzel" In-Reply-To: <001801c3432a$d5a23250$11fd2fd8@westbend.net> Message-ID: <20030705103037.A3146-100000@oahu.WURLDLINK.NET> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: current@freebsd.org Subject: Re: src/libexec/tcpd doesn't work correctly with -DPROCESS_OPTIONS X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2003 20:40:47 -0000 On Sat, 5 Jul 2003, Scot W. Hetzel wrote: > From: "Vincent Poy" > > Any ideas? > > > > > According to the inetd man page: > > TCP Wrappers > When given the -w option, inetd will wrap all services specified as > ``stream nowait'' or ``dgram'' except for ``internal'' services. If > the > -W option is given, such ``internal'' services will be wrapped. If > both > options are given, wrapping for both internal and external services > will > be enabled. Either wrapping option will cause failed connections to be > logged to the ``auth'' syslog facility. Adding the -l flag to the > wrap- > ping options will include successful connections in the logging to the > ``auth'' facility. > : > When wrapping is enabled, the tcpd daemon is not required, as that > func- > tionality is builtin. ..... > > Also, /etc/defaults/rc.conf shows that inetd_flags has both '-w' and '-W' > flags set. If you are using the default flags to inetd, then you don't need > to use tcpd to wrap your telnetd session. > > Did you change your inetd_flags? Nope, I have the -wW by default. I never knew inetd had builtin wrappers but in that case, then it might be better but I remembered tcp_wrappers was implemented into the base system and I thought it was in tcpd since that binary is part of the world build process installation. > I just tested the bultin tcp_wrappers in inetd, and had no problem with > adding a banner to my ftpd and telnetd daemons without using the tcpd > daemon. But, when I changed the service to: > > ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l > > and then killed -HUP the inetd process, the inetd process wanted the banner > file to be called 'tcpd' instead of 'ftpd'. Actually, it's working correctly for me with the ftpd name. This is my /etc/inetd.conf for the ftpd line: ftp stream tcp nowait root /usr/libexec/ftpd /usr/libexec/ftpd -l This is what the hosts.allow line looks like: telnetd,ftpd,rshd,rlogind : 208.201.244. : rfc931 : banners /etc/banners This is my /etc/banners listing: root@bigbang [1:33pm][/usr/local/sbin] >> dir /etc/banners total 38 drwxr-xr-x 3 root wheel - 512 Sep 7 2002 . drwxr-xr-x 18 root wheel - 3072 Jul 5 11:59 .. -rw-r--r-- 1 root wheel - 2026 Dec 12 1996 Makefile drwxr-xr-x 2 root wheel - 512 Sep 6 2002 deny -rw-r--r-- 1 root wheel - 712 Sep 6 2002 deny.telnetd -rw-r--r-- 1 root wheel - 219 Sep 6 2002 fingerd -rw-r--r-- 1 root wheel - 215 Dec 15 1996 fingerd.bak -rw-r--r-- 1 root wheel - 1289 Dec 13 1996 fingerd.old -rw-r--r-- 1 root wheel - 634 Sep 6 2002 ftpd -rwxr-xr-x 1 root wheel - 8192 Dec 12 1996 nul -rw-r--r-- 1 root wheel - 582 Sep 6 2002 prototype -rw-r--r-- 1 root wheel - 1289 Dec 16 1996 prototype.old -rw-r--r-- 1 root wheel - 0 Sep 6 2002 rlogind -rw-r--r-- 1 root wheel - 582 Sep 6 2002 rshd -rw-r--r-- 1 root wheel - 557 Sep 7 2002 sshd -rw-r--r-- 1 root wheel - 582 Sep 6 2002 telnetd The only thing is that for IPs not defined, it would go straight to the ftp login prompt and not deny access, I thought deny was default for anything not defined? > I also killed inetd, and started it with no flags. But when I connected to > the ftpd process, tcpd didn't display the banner (both tcpd and ftpd banner > files were installed into the banner directory). Yep, same here. > So it looks like tcpd is broken when it comes to displaying banners. So it wasn't my imagination. :-) I wonder if there is actually any differences between the tcp_wrappers in inetd and the one in tcpd or is the inetd just the tcpd stuff all intergrated and improved. > I suggest you use inetd's builtin TCP Wrappers support, and forget using > tcpd. That's a good idea since I probably won't remember to fix tcpd if there is a fix on each cvsup and then buildworld. > Scot Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin