Date: Tue, 8 Jun 1999 07:00:04 -0700 (PDT) From: David Malone <dwmalone@maths.tcd.ie> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. Message-ID: <199906081400.HAA08531@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR bin/11960; it has been noted by GNATS.
From: David Malone <dwmalone@maths.tcd.ie>
To: Sheldon Hearn <sheldonh@uunet.co.za>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does.
Date: Tue, 08 Jun 1999 14:54:44 +0100
> I'm being obtuse. Next time I'll read more carefully. This looks like
> what we want. Do your changes work with wrapped internal services (see
> PR 11651)? Looks to me like your method handles both cases of forked and
> non-forked internals nicely.
I think the code makes sense in both cases. I read the PR and I can't see
how this could upset the internally wrapped case.
Reading the code more carefully, I think I've discovered something else which
should be done all the time - calculating the service name for the syslog.
I've checked all these changes on a 3.2-stable machine and it seems to do the
right thing.
I've an interesting tail of caution for people - if you already have services
wrapped with tcpd and wonder why:
in.rshd rshd: ALL : severity dshosadh.warning : deny
Is alowd by inetd's tcp wrapping, but denied by tcpd's wrapping - remember
inetd will be calling hosts_access with a daemon name of "tcpd"! I wonder
if we should log the daemon's name when we log the rest of the info about
the service - as that is what people are most likely to grep for?
David.
--- inetd.c Tue Jun 8 13:39:35 1999
+++ inetd.c.orig Tue Jun 8 12:34:30 1999
@@ -629,24 +629,25 @@
sep->se_server_name : sep->se_service,
RQ_FILE, ctrl, NULL);
fromhost(&req);
- deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
- allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
denied = !hosts_access(&req);
- sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
- if (sp == NULL) {
- (void)snprintf(buf, sizeof buf, "%d",
- ntohs(sep->se_ctrladdr.sin_port));
- service = buf;
- } else
- service = sp->s_name;
+ if (denied || log) {
+ sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto);
+ if (sp == NULL) {
+ (void)snprintf(buf, sizeof buf, "%d",
+ ntohs(sep->se_ctrladdr.sin_port));
+ service = buf;
+ } else
+ service = sp->s_name;
+ }
if (denied) {
syslog(deny_severity,
"refused connection from %.500s, service %s (%s)",
eval_client(&req), service, sep->se_proto);
goto reject;
- } else {
+ }
+ if (log) {
syslog(allow_severity,
- "connection from %.500s, service %s (%s)",
+ "connection from %.500s, service %s (%s)",
eval_client(&req), service, sep->se_proto);
}
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906081400.HAA08531>