From owner-freebsd-security Tue Jan 23 02:23:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id CAA23972 for security-outgoing; Tue, 23 Jan 1996 02:23:36 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id CAA23928 for ; Tue, 23 Jan 1996 02:23:23 -0800 (PST) Received: from localhost (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.3/8.7.3) with SMTP id MAA01048; Tue, 23 Jan 1996 12:21:39 +0200 (SAT) Message-Id: <199601231021.MAA01048@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host mark@localhost [127.0.0.1] didn't use HELO protocol To: Paul Traina cc: Mark Murray , Nathan Lawson , security@FreeBSD.ORG Subject: Re: Ownership of files/tcp_wrappers port Date: Tue, 23 Jan 1996 12:21:39 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG Precedence: bulk Paul Traina wrote: > Likewise, with eBones, we've hacked the sources to the point that its now a > HUGE job to upgrade to patch level 10. I know this, because I started it > and gave up in disgust 2 months ago. Please send me the patches, and I'll do it. I have some leave right now. > Let me state, completely, my objections to adding the tcp wrapper code: > > (a) there are several similar competing bits of code out there > that do similar things -- wrappers is not the only way to go None of them in regular use, and none as well-trusted (ubiquitous) as tcp_wrappers. None even in ports. > (b) it's already trivial for a user to add this support into the > base system should they desire it Sorta. I have seen some badly fouled up inetd.conf's with either total lossage (didn't work after being maimed) or massive security holes from misunderstanding. This is really a doumentation problem. we need a wrappers/general security section in the handbook. > (c) incorporating it into the base system means more work to support, > test, debug, and maintain the code Has to happen in ports anyway? Ok - not to tha same degree, and I would fiercly agree with you if the software under consideration was undergoing rapid development A-La NCFTP-2 or Lynx. The small size of this software is attractive, and its stability means it does not change often enough to be a PITA. > (d) the wrapper changes duplicate much of the access logging and > control we have already included directly in the system They also focus the same, usually in better detail. In fact wrappers are a _great_ source of logging information, and configurable from one place, too. In our last two breakins, wrapper logs nailed the culprit, and wrapper logs are great if your legacy system does not have decent accounting. One-file control of TCP access is darn useful. > (e) they don't cover the case of UDP programs True. > If you can address these issues, then I will withdraw my objections. 80%? ;-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key