Date: Wed, 28 Jul 1999 13:17:26 -0400 (EDT) From: Seth <seth@freebie.dp.ny.frb.org> To: Yiorgos Adamopoulos <adamo@dblab.ece.ntua.gr> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: tcpd, inetd, and hosts.[allow|deny] Message-ID: <Pine.BSF.4.10.9907281307570.2887-100000@freebie.dp.ny.frb.org> In-Reply-To: <19990728200259.A60026@dblab.ece.ntua.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Jul 1999, Yiorgos Adamopoulos wrote: > Peculiar though it may seem, I would call this expected behaviour. Why? > > tcpd is installed from /usr/ports/security/tcp_wrappers right? So it uses > /usr/local/etc/hosts.{allow,deny} and /usr/local/sbin/tcpdmatch is installed > *with* tcpd from the ports collection. > > OTOH, /usr/sbin/tcpdmatch in installed on the *system* (read make World) and > checks /etc/hosts.{allow,deny} since this is what the tcp_wrappers aware inetd > uses (and you need a tcpdmatch to check these, right?). > > But if you have tcpd capability in inetd, why do you now need to explicitly > install tcpd? (That is if you run the FreeBSD inetd). > The issue is one of timing. I agree that IF tcpd were part of the base install (in /usr/libexec, for example), it would make sense (and there would be no need to use the port). However, my first point was that prior to the introduction of the wrapped inetd, tcpdmatch and tcpdcheck were provided -- WITHOUT an accompanying tcpd -- in /usr/sbin. They originally checked /usr/local/etc. Sometime between 3.1-RELEASE and 6/20 -STABLE, these utilities were changed to check /etc as opposed to /usr/local/etc, and thus could not have been expected to perform any useful function prior to the inetd wrap of 7/21. What were they there for? All they did was create confusion for many reasons; primary among them was the fact that most people have /usr/sbin BEFORE /usr/local/sbin in their paths and thus were executing the wrong version of tcpdmatch... the version that wouldn't read the files that tcpd was reading. With the introduction of inetd wrapping, the /usr/sbin/tcpd* utilities serve their intended purpose, since they check /etc, which is where inetd expects the rules. My second point was that the move from a locally-installed tcpd to the wrapped inetd was not seamless from an administrative point of view. The access files must be moved from /usr/local/etc to /etc in order for a default wrapped inetd config to access them. Any administrator who relied on wrapping and who made the change to inetd to enable wrapping but did not move their rules files actually defeated his own security measures. That's a scenario that didn't get much airtime, and the point of my last post was to make people aware of the issues involved. SB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907281307570.2887-100000>