Date: Wed, 28 Jul 1999 11:21:22 -0400 (EDT) From: Seth <seth@freebie.dp.ny.frb.org> To: freebsd-stable@freebsd.org Subject: tcpd, inetd, and hosts.[allow|deny] Message-ID: <Pine.BSF.4.10.9907281120500.2516-100000@freebie.dp.ny.frb.org>
next in thread | raw e-mail | index | archive | help
I found a problem yesterday that might have some security implications for those users using tcpd, either explicitly or through the new (post- 7/21/1999) wrapped inetd. The problem arises because the default directories for the hosts.[allow|deny] files have changed somewhere along the line, and because tcpd utilities (such as tcpdmatch and tcpdchk) have been part of the FreeBSD distribution (the Makefiles are in usr.sbin, but the source is in contrib/tcp_wrappers) since at least 3.1-R. Somewhere along the line (as far as I can tell, somewhere between 3.1-RELEASE and 3.2-STABLE of 6/20), the directories that /usr/sbin/tcpdmatch uses to check for tcpd access files changed from /usr/local/etc to /etc. However, tcpd (NOT installed as part of the distribution) uses access files in /usr/local/etc. This inconsistency means that some users who rely on /usr/sbin/tcpdmatch to check security will get false results, as modern builds (but prior to 7/21) of /usr/sbin/tcpdmatch will check /etc as opposed to /usr/local/etc. /usr/local/sbin/tcpdmatch, installed with tcpd, checks /usr/local/etc correctly. Now, part two. If you've been using /usr/local/libexec/tcpd and associated access files in /usr/local/etc, and you've recently updated (after 7/21) and are now running inetd with -w, note that this wrapped inetd expects the files to be in /etc, not /usr/local/etc (which is where your old tcpd wanted them). If you happen to use /usr/local/sbin/tcpdmatch (the one that comes in the tcpd package) instead of the included /usr/sbin/tcpdmatch, you'll get false results, as /usr/local/sbin/tcpdmatch checks access files in /usr/local/etc. I filed a bug report about this yesterday (bin/12819). I happen to feel that this is a serious problem, although that's been debated. Doesn't matter. Just be aware that the behavior has changed and that you need to be aware that your access files may need to be moved. Milestones & summary: 3.1-RELEASE: /usr/sbin/tcpdmatch confirmed to check /usr/local/etc. /usr/local/sbin/tcpdmatch, part of tcpd package, checks /usr/local/etc. -STABLE of 6/20: /usr/sbin/tcpdmatch has changed somewhere along the line. Checks /etc by default now, even though tcpd isn't integrated into the distribution and expects access files in /usr/local/etc. /usr/local/sbin/tcpdmatch continues to check /usr/local/etc. -STABLE of 7/21: inetd now wraps; expects access files in /etc. /usr/local/sbin/tcpdmatch continues to check /usr/local/etc. Sorry for the long-winded message, but I wanted to explain the issue as thoroughly as I could. Also, thanks to Sheldon and the freebsd-bugs team for following up on this pr so promptly. SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907281120500.2516-100000>