From owner-freebsd-stable Wed Jul 28 8:22:39 1999 Delivered-To: freebsd-stable@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id D576415044 for ; Wed, 28 Jul 1999 08:22:17 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id LAA14480; Wed, 28 Jul 1999 11:22:00 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma014099; Wed, 28 Jul 99 11:21:26 -0400 Date: Wed, 28 Jul 1999 11:21:22 -0400 (EDT) From: Seth Subject: tcpd, inetd, and hosts.[allow|deny] To: freebsd-stable@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I found a problem yesterday that might have some security implications for those users using tcpd, either explicitly or through the new (post- 7/21/1999) wrapped inetd. The problem arises because the default directories for the hosts.[allow|deny] files have changed somewhere along the line, and because tcpd utilities (such as tcpdmatch and tcpdchk) have been part of the FreeBSD distribution (the Makefiles are in usr.sbin, but the source is in contrib/tcp_wrappers) since at least 3.1-R. Somewhere along the line (as far as I can tell, somewhere between 3.1-RELEASE and 3.2-STABLE of 6/20), the directories that /usr/sbin/tcpdmatch uses to check for tcpd access files changed from /usr/local/etc to /etc. However, tcpd (NOT installed as part of the distribution) uses access files in /usr/local/etc. This inconsistency means that some users who rely on /usr/sbin/tcpdmatch to check security will get false results, as modern builds (but prior to 7/21) of /usr/sbin/tcpdmatch will check /etc as opposed to /usr/local/etc. /usr/local/sbin/tcpdmatch, installed with tcpd, checks /usr/local/etc correctly. Now, part two. If you've been using /usr/local/libexec/tcpd and associated access files in /usr/local/etc, and you've recently updated (after 7/21) and are now running inetd with -w, note that this wrapped inetd expects the files to be in /etc, not /usr/local/etc (which is where your old tcpd wanted them). If you happen to use /usr/local/sbin/tcpdmatch (the one that comes in the tcpd package) instead of the included /usr/sbin/tcpdmatch, you'll get false results, as /usr/local/sbin/tcpdmatch checks access files in /usr/local/etc. I filed a bug report about this yesterday (bin/12819). I happen to feel that this is a serious problem, although that's been debated. Doesn't matter. Just be aware that the behavior has changed and that you need to be aware that your access files may need to be moved. Milestones & summary: 3.1-RELEASE: /usr/sbin/tcpdmatch confirmed to check /usr/local/etc. /usr/local/sbin/tcpdmatch, part of tcpd package, checks /usr/local/etc. -STABLE of 6/20: /usr/sbin/tcpdmatch has changed somewhere along the line. Checks /etc by default now, even though tcpd isn't integrated into the distribution and expects access files in /usr/local/etc. /usr/local/sbin/tcpdmatch continues to check /usr/local/etc. -STABLE of 7/21: inetd now wraps; expects access files in /etc. /usr/local/sbin/tcpdmatch continues to check /usr/local/etc. Sorry for the long-winded message, but I wanted to explain the issue as thoroughly as I could. Also, thanks to Sheldon and the freebsd-bugs team for following up on this pr so promptly. SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message