Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Jul 1999 13:41:52 -0400 (EDT)
From:      Seth <seth@freebie.dp.ny.frb.org>
To:        Yiorgos Adamopoulos <adamo@dblab.ece.ntua.gr>
Cc:        freebsd-stable@FreeBSD.ORG
Subject:   Re: tcpd, inetd, and hosts.[allow|deny]
Message-ID:  <Pine.BSF.4.10.9907281334220.3008-100000@freebie.dp.ny.frb.org>
In-Reply-To: <19990728202954.A75107@dblab.ece.ntua.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 



On Wed, 28 Jul 1999, Yiorgos Adamopoulos wrote:

> On Wed, Jul 28, 1999 at 01:17:26PM -0400, Seth wrote:
> > administrative point of view.  The access files must be moved from
> > /usr/local/etc to /etc in order for a default wrapped inetd config to
> > access them.  Any administrator who relied on wrapping and who made the
> 
> Now this is where I disagree.  The default /etc/hosts.allow allows every
> connection.  Which is OK, since if you cut-n-paste your old inetd.conf tcpd
> wrapped lines, inetd will execute tcpd, who (tcpd) will check
> /usr/local/etc/hosts.{allow,deny} which will do what the administrator expects.
> 

Not sure I follow you.  Assume for a moment that you've been using the
tcpd package and have created a custom /usr/local/etc/hosts.deny to
filter, say, ftp attempts from some domain.  Ignore for the moment that
the tcpdmatch that comes with FreeBSD base distributions past some point
in time after 3.1-R  won't check these files by default (my first
original point). Your tcpd, installed as /usr/local/libexec/tcpd, works
fine with your /usr/local/etc/hosts.deny.

You've now made world using post-7/12 sources and decided to use this new
feature -- wrapping from inetd -- as opposed to tcpd.  Hey, why use an
external program when inetd is more than happy to do it for you?  You
remove all the references to /usr/local/libexec/tcpd from your 
/etc/inetd.conf, and restart inetd with -w.

You're now vulnerable to all the access attempts you were protecting
before you converted to wrapped inetd, since the wrapped inetd looks
in /etc for the access files.  Since yours are still in /usr/local/etc,
you're wide open until you move them.

SB



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907281334220.3008-100000>