Date: Wed, 29 Oct 2003 19:53:01 -0500 From: "Dan Langille" <dan@langille.org> To: FreeBSD-hackers@freebsd.org Subject: Re: hosts_access(3) - correct usage? Message-ID: <3FA01A9D.29792.170B4536@localhost> In-Reply-To: <3FA0064C.1557.16BBE929@localhost> References: <20031029161009.GA26309@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 Oct 2003 at 18:26, Dan Langille wrote:
> On 29 Oct 2003 at 17:10, Guido van Rooij wrote:
>
> > On Wed, Oct 29, 2003 at 09:38:50AM -0500, Dan Langille wrote:
> > > Is this the right way to use hosts_access? The code blows up during
> > > the hosts_access call. I'm told it runs OK on Linux/Solaris. I'm
> > > wonderding if there's something different it needs to do be doing on
> > > FreeBSD.
> > >
> > > Thanks
> > >
> > > #ifdef HAVE_LIBWRAP
> > > P(mutex); /* hosts_access is not thread safe */
> > > request_init(&request, RQ_DAEMON, my_name, RQ_FILE, newsockfd,
> > > 0);
> > > fromhost(&request);
> > > if (!hosts_access(&request)) {
> > > V(mutex);
> > > Jmsg2(NULL, M_WARNING, 0, _("Connection from %s:%d refused
> > > by hosts.access"),
> > > inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
> > > close(newsockfd);
> > > continue;
> > > }
> > > V(mutex);
> > > #endif
> >
> >
> > This seems okay to me.
> > OpenSSH uses:
> > struct request_info req;
> >
> > request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
> > fromhost(&req);
> >
> > if (!hosts_access(&req)) {
> > debug("Connection refused by tcp wrapper");
> > refuse(&req);
> > /* NOTREACHED */
> > fatal("libwrap refuse returns");
> > }
> >
> > I take it that newsockfd is the one returned from accept()?
> > I'd try using a debug version of libwrap...
>
> I was speaking with dwhite on IRC about this. The application
> (sysutils/bacula) has a hacked version of tcpd.h for use with C++.
> This didn't have the #ifdef INET6 statements. So I patched that up.
> But no difference in the results.
>
> If hosts.allow is going to deny access, the crash occurs:
> http://beta.freebsddiary.org/tmp/bacula-fd-gbd.success.html
>
> If access is denied, this occurs:
> http://beta.freebsddiary.org/tmp/bacula-fd-gbd.fails.html
>
> I haven't looked into libwrap yet, but in case someone sees something
> obvious, I've posted the above.
Well, we've tracked it down to one set of allow statements. The
server is at 192.168.0.56 (undef.unixathome.org). The daemon name is
bast-fd. If we supply any one of these in /etc/hosts.allow, the
crash does not occur.
bast-fd : 192.168.0.0/255.255.255.0 : allow
bast-fd : 192.168.0.0/255.255.255.0 : deny
bast-fd : undef.unixathome.org : allow
bast-fd : undef.unixathome.org : deny
bast-fd : 192.168.0.56 : allow
With this, the crash occurs:
bast-fd : undef.blah.blah : allow
This is how to make it crash:
$ telnet bast 9102
Trying 192.168.0.21...
Connected to bast.unixathome.org.
Escape character is '^]'.
You are not welcome to use bast-fd from undef.unixathome.org.
Connection closed by foreign host.
Also, if the first call the hosts_access succeeds, then all subequent
calls will suceed. I actually have to restart the daemon, and then
have a deny condition in hosts.allow in order for the hosts_access
call to bomb.
Any ideas?
--
Dan Langille : http://www.langille.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FA01A9D.29792.170B4536>