From owner-freebsd-stable Wed Jul 28 12:28: 1 1999 Delivered-To: freebsd-stable@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 3CB1914CF3 for ; Wed, 28 Jul 1999 12:27:48 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id NAA07428; Wed, 28 Jul 1999 13:18:25 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma006935; Wed, 28 Jul 99 13:17:32 -0400 Date: Wed, 28 Jul 1999 13:17:26 -0400 (EDT) From: Seth Subject: Re: tcpd, inetd, and hosts.[allow|deny] In-reply-to: <19990728200259.A60026@dblab.ece.ntua.gr> To: Yiorgos Adamopoulos Cc: freebsd-stable@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 28 Jul 1999, Yiorgos Adamopoulos wrote: > Peculiar though it may seem, I would call this expected behaviour. Why? > > tcpd is installed from /usr/ports/security/tcp_wrappers right? So it uses > /usr/local/etc/hosts.{allow,deny} and /usr/local/sbin/tcpdmatch is installed > *with* tcpd from the ports collection. > > OTOH, /usr/sbin/tcpdmatch in installed on the *system* (read make World) and > checks /etc/hosts.{allow,deny} since this is what the tcp_wrappers aware inetd > uses (and you need a tcpdmatch to check these, right?). > > But if you have tcpd capability in inetd, why do you now need to explicitly > install tcpd? (That is if you run the FreeBSD inetd). > The issue is one of timing. I agree that IF tcpd were part of the base install (in /usr/libexec, for example), it would make sense (and there would be no need to use the port). However, my first point was that prior to the introduction of the wrapped inetd, tcpdmatch and tcpdcheck were provided -- WITHOUT an accompanying tcpd -- in /usr/sbin. They originally checked /usr/local/etc. Sometime between 3.1-RELEASE and 6/20 -STABLE, these utilities were changed to check /etc as opposed to /usr/local/etc, and thus could not have been expected to perform any useful function prior to the inetd wrap of 7/21. What were they there for? All they did was create confusion for many reasons; primary among them was the fact that most people have /usr/sbin BEFORE /usr/local/sbin in their paths and thus were executing the wrong version of tcpdmatch... the version that wouldn't read the files that tcpd was reading. With the introduction of inetd wrapping, the /usr/sbin/tcpd* utilities serve their intended purpose, since they check /etc, which is where inetd expects the rules. My second point was that the move from a locally-installed tcpd to the wrapped inetd was not seamless from an administrative point of view. The access files must be moved from /usr/local/etc to /etc in order for a default wrapped inetd config to access them. Any administrator who relied on wrapping and who made the change to inetd to enable wrapping but did not move their rules files actually defeated his own security measures. That's a scenario that didn't get much airtime, and the point of my last post was to make people aware of the issues involved. SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message