Date: Tue, 8 Jun 1999 07:00:04 -0700 (PDT) From: David Malone <dwmalone@maths.tcd.ie> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. Message-ID: <199906081400.HAA08531@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/11960; it has been noted by GNATS. From: David Malone <dwmalone@maths.tcd.ie> To: Sheldon Hearn <sheldonh@uunet.co.za> Cc: freebsd-gnats-submit@freebsd.org Subject: Re: bin/11960: inetd built in wrapping doesn't log like tcpd does. Date: Tue, 08 Jun 1999 14:54:44 +0100 > I'm being obtuse. Next time I'll read more carefully. This looks like > what we want. Do your changes work with wrapped internal services (see > PR 11651)? Looks to me like your method handles both cases of forked and > non-forked internals nicely. I think the code makes sense in both cases. I read the PR and I can't see how this could upset the internally wrapped case. Reading the code more carefully, I think I've discovered something else which should be done all the time - calculating the service name for the syslog. I've checked all these changes on a 3.2-stable machine and it seems to do the right thing. I've an interesting tail of caution for people - if you already have services wrapped with tcpd and wonder why: in.rshd rshd: ALL : severity dshosadh.warning : deny Is alowd by inetd's tcp wrapping, but denied by tcpd's wrapping - remember inetd will be calling hosts_access with a daemon name of "tcpd"! I wonder if we should log the daemon's name when we log the rest of the info about the service - as that is what people are most likely to grep for? David. --- inetd.c Tue Jun 8 13:39:35 1999 +++ inetd.c.orig Tue Jun 8 12:34:30 1999 @@ -629,24 +629,25 @@ sep->se_server_name : sep->se_service, RQ_FILE, ctrl, NULL); fromhost(&req); - deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY; - allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY; denied = !hosts_access(&req); - sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto); - if (sp == NULL) { - (void)snprintf(buf, sizeof buf, "%d", - ntohs(sep->se_ctrladdr.sin_port)); - service = buf; - } else - service = sp->s_name; + if (denied || log) { + sp = getservbyport(sep->se_ctrladdr.sin_port, sep->se_proto); + if (sp == NULL) { + (void)snprintf(buf, sizeof buf, "%d", + ntohs(sep->se_ctrladdr.sin_port)); + service = buf; + } else + service = sp->s_name; + } if (denied) { syslog(deny_severity, "refused connection from %.500s, service %s (%s)", eval_client(&req), service, sep->se_proto); goto reject; - } else { + } + if (log) { syslog(allow_severity, - "connection from %.500s, service %s (%s)", + "connection from %.500s, service %s (%s)", eval_client(&req), service, sep->se_proto); } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906081400.HAA08531>