Date: Tue, 27 Jul 1999 18:25:59 +0200 From: Sheldon Hearn <sheldonh@uunet.co.za> To: Seth <seth@freebie.dp.ny.frb.org> Cc: freebsd-bugs@FreeBSD.org Subject: Re: bin/12819: tcpd hosts.[allow|deny] location inconsistent Message-ID: <24974.933092759@axl.noc.iafrica.com> In-Reply-To: Your message of "Tue, 27 Jul 1999 11:00:50 -0400." <Pine.BSF.4.10.9907271054530.4341-100000@freebie.dp.ny.frb.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jul 1999 11:00:50 -0400, Seth wrote: > I have to object, however, to the implication that I misclassified the > severity of this problem. I can see where you're coming from, but... > In my opinion, if your standard tests (tcpdmatch, etc.) tell you > that your system is denying certain connections, when in fact these > connections are being allowed, you've got a pretty serious security > issue. If you have a legacy tcpd installed, then tcpd is run out of the wrapped inetd. The default /etc/hosts.allow allows _everything_. Therefore, the base system's tcpdmatch will tell you that _anything_ is allowed. It's only once you start meddling with /etc/hosts.allow that this may change. Once you've meddled with it, you know it's there and you worry. :-) > Finally, if you go through my previous send-pr's, I think you'll find that > I've always erred on the conservative side when estimating the level of > severity. I hope you'll agree after reading this that the classification > I submitted was, in retrospect, a fair one. Nope, but I can see why you thought it was severe. I do want to make it clear that I didn't mean "you are in the habit of selecting poor Severity levels". I didn't look at your PR history at all. > Thanks again for looking at this issue so quickly. Is there a fix for > it? The integration of tcp_wrappers into the base system was fairly well documented and announced. The only thing that's unfortunate is that the release notes don't reference the inetd(8) manpage and said manpage should be cross-referenced in the hosts_access(5) manpage. I'll take care of that. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24974.933092759>