Date: Wed, 28 Jul 1999 11:21:22 -0400 (EDT) From: Seth <seth@freebie.dp.ny.frb.org> To: freebsd-stable@freebsd.org Subject: tcpd, inetd, and hosts.[allow|deny] Message-ID: <Pine.BSF.4.10.9907281120500.2516-100000@freebie.dp.ny.frb.org>
next in thread | raw e-mail | index | archive | help
I found a problem yesterday that might have some security implications
for those users using tcpd, either explicitly or through the new (post-
7/21/1999) wrapped inetd. The problem arises because the default
directories for the hosts.[allow|deny] files have changed somewhere
along the line, and because tcpd utilities (such as tcpdmatch and tcpdchk)
have been part of the FreeBSD distribution (the Makefiles are in usr.sbin,
but the source is in contrib/tcp_wrappers) since at least 3.1-R.
Somewhere along the line (as far as I can tell, somewhere between
3.1-RELEASE and 3.2-STABLE of 6/20), the directories that
/usr/sbin/tcpdmatch uses to check for tcpd access files changed from
/usr/local/etc to /etc. However, tcpd (NOT installed as part of the
distribution) uses access files in /usr/local/etc. This inconsistency
means that some users who rely on /usr/sbin/tcpdmatch to check security
will get false results, as modern builds (but prior to 7/21) of
/usr/sbin/tcpdmatch will check /etc as opposed to /usr/local/etc.
/usr/local/sbin/tcpdmatch, installed with tcpd, checks /usr/local/etc
correctly.
Now, part two. If you've been using /usr/local/libexec/tcpd and
associated access files in /usr/local/etc, and you've recently updated
(after 7/21) and are now running inetd with -w, note that this wrapped
inetd expects the files to be in /etc, not /usr/local/etc (which is where
your old tcpd wanted them). If you happen to use
/usr/local/sbin/tcpdmatch (the one that comes in the tcpd package) instead
of the included /usr/sbin/tcpdmatch, you'll get false results, as
/usr/local/sbin/tcpdmatch checks access files in /usr/local/etc.
I filed a bug report about this yesterday (bin/12819). I happen to feel
that this is a serious problem, although that's been debated. Doesn't
matter. Just be aware that the behavior has changed and that you need to
be aware that your access files may need to be moved.
Milestones & summary:
3.1-RELEASE: /usr/sbin/tcpdmatch confirmed to check /usr/local/etc.
/usr/local/sbin/tcpdmatch, part of tcpd package, checks
/usr/local/etc.
-STABLE of 6/20: /usr/sbin/tcpdmatch has changed somewhere along the
line. Checks /etc by default now, even though tcpd
isn't integrated into the distribution and expects
access files in /usr/local/etc.
/usr/local/sbin/tcpdmatch continues to check
/usr/local/etc.
-STABLE of 7/21: inetd now wraps; expects access files in /etc.
/usr/local/sbin/tcpdmatch continues to check
/usr/local/etc.
Sorry for the long-winded message, but I wanted to explain the issue as
thoroughly as I could. Also, thanks to Sheldon and the freebsd-bugs team
for following up on this pr so promptly.
SB
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907281120500.2516-100000>