Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Oct 2003 18:26:20 -0500
From:      "Dan Langille" <dan@langille.org>
To:        Guido van Rooij <guido@gvr.org>
Cc:        FreeBSD-hackers@freebsd.org
Subject:   Re: hosts_access(3) - correct usage?
Message-ID:  <3FA0064C.1557.16BBE929@localhost>
In-Reply-To: <20031029161009.GA26309@gvr.gvr.org>
References:  <3F9F8AAA.12507.14D8EE23@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 29 Oct 2003 at 17:10, Guido van Rooij wrote:

> On Wed, Oct 29, 2003 at 09:38:50AM -0500, Dan Langille wrote:
> > Is this the right way to use hosts_access?  The code blows up during 
> > the hosts_access call.  I'm told it runs OK on Linux/Solaris.  I'm 
> > wonderding if there's something different it needs to do be doing on 
> > FreeBSD.
> > 
> > Thanks
> > 
> > #ifdef HAVE_LIBWRAP
> >       P(mutex);               /* hosts_access is not thread safe */
> >       request_init(&request, RQ_DAEMON, my_name, RQ_FILE, newsockfd, 
> > 0);
> >       fromhost(&request);
> >       if (!hosts_access(&request)) {
> >      V(mutex);
> >          Jmsg2(NULL, M_WARNING, 0, _("Connection from %s:%d refused 
> > by hosts.access"),
> >            inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
> >      close(newsockfd);
> >      continue;
> >       }
> >       V(mutex);
> > #endif
> 
> 
> This seems okay to me.
> OpenSSH uses:
>                 struct request_info req;
>  
>                 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
>                 fromhost(&req);
>  
>                 if (!hosts_access(&req)) {
>                         debug("Connection refused by tcp wrapper");
>                         refuse(&req);
>                         /* NOTREACHED */
>                         fatal("libwrap refuse returns");
>                 }
> 
> I take it that newsockfd is the one returned from accept()?
> I'd try using a debug version of libwrap...

I was speaking with dwhite on IRC about this.  The application 
(sysutils/bacula) has a hacked version of tcpd.h for use with C++.  
This didn't have the #ifdef INET6 statements.  So I patched that up.  
But no difference in the results.

If hosts.allow is going to deny access, the crash occurs:
http://beta.freebsddiary.org/tmp/bacula-fd-gbd.success.html

If access is denied, this occurs:
http://beta.freebsddiary.org/tmp/bacula-fd-gbd.fails.html

I haven't looked into libwrap yet, but in case someone sees something 
obvious, I've posted the above.

thanks
-- 
Dan Langille : http://www.langille.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FA0064C.1557.16BBE929>