From owner-freebsd-security  Wed Jan 24 10:30:59 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA10443
          for security-outgoing; Wed, 24 Jan 1996 10:30:59 -0800 (PST)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA10421
          for <security@freebsd.org>; Wed, 24 Jan 1996 10:30:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id KAA13149; Wed, 24 Jan 1996 10:28:44 -0800 (PST)
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
Message-Id: <199601241828.KAA13149@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Reply-to: cschuber@orca.gov.bc.ca
X-Mailer: DXmail
To: Nathan Lawson <nlawson@statler.csc.calpoly.edu>
cc: jseng@stf.org.sg (James Seng), security@freebsd.org
Subject: Re: Ownership of files/tcp_wrappers port  
In-reply-to: Your message of "Wed, 24 Jan 96 02:12:18 PST."
             <199601241012.CAA11879@statler.csc.calpoly.edu> 
Date: Wed, 24 Jan 96 10:28:44 -0800
X-Mts: smtp
Sender: owner-security@freebsd.org
Precedence: bulk

Nathan Lawson <nlawson@statler.csc.calpoly.edu> wrote:
> > On Tue, 23 Jan 1996, Nathan Lawson wrote:
> > Before we get over paranoid over security, lets us remember that the 
> > primary aim of a base distribution is to provide an dynamic system, of 
> > course minus the security bugs. 
> 
> Well, then FreeBSD has failed.  See the recent telnetd environment bug for
> an example of this.  If you had wrapped telnetd and only allowed connects
> from certain sites, you could have limited the scope of this vulnerability.

In that case so have Sun, IBM, DEC, and HP, to name a few, failed.  Bugs are the 
nature of the beast.  Though TCPD is a good product, configuration is at the 
heart of the issue.  For example I like to use the auth facility for logging 
TCPD logs not the mail facility.  Even when I ran Linux I had to recompile TCPD, 
for the reason I stated above and because Slackware had an older copy of TCPD.

Ports is where TCPD belongs.  It doesn't take much to extract TCPD, reconfigure 
it and do a make install.

As far as converting inetd.conf to use TCPD, here is an awk script I use on the 
Sun and DEC boxes I manage at work.  This could be incorporated in the port to 
make the job of installing TCPD much easier.

#!/usr/bin/awk -f
$1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/ && $6 ~ /sbin/ && $7 !~ /identd/ 
{print "## " $0;
        print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $7 
"\t" $8 " " $9}
$1 !~ /^#/ && $6 != "internal" && $6 !~ /tcpd/  && $6 !~ /sbin/  && $7 !~ 
/identd/ {print "## " $0;
        print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 "\t/usr/local/etc/tcpd\t" $6 
"\t" $8 " " $9}
$1 != "time" && $6 == "internal" {print "## " $0}
$1 == "time" {print $0}
$1 ~ /^#/ || $6 ~ /tcpd/ || $7 ~ /identd/ {print $0}


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."