From owner-freebsd-hackers@FreeBSD.ORG Wed Oct 29 16:53:05 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E20C816A4CE for ; Wed, 29 Oct 2003 16:53:04 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C0F743F85 for ; Wed, 29 Oct 2003 16:53:02 -0800 (PST) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 99A3C3D28 for ; Wed, 29 Oct 2003 19:53:01 -0500 (EST) From: "Dan Langille" To: FreeBSD-hackers@freebsd.org Date: Wed, 29 Oct 2003 19:53:01 -0500 MIME-Version: 1.0 Message-ID: <3FA01A9D.29792.170B4536@localhost> Priority: normal In-reply-to: <3FA0064C.1557.16BBE929@localhost> References: <20031029161009.GA26309@gvr.gvr.org> X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: hosts_access(3) - correct usage? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 00:53:05 -0000 On 29 Oct 2003 at 18:26, Dan Langille wrote: > On 29 Oct 2003 at 17:10, Guido van Rooij wrote: > > > On Wed, Oct 29, 2003 at 09:38:50AM -0500, Dan Langille wrote: > > > Is this the right way to use hosts_access? The code blows up during > > > the hosts_access call. I'm told it runs OK on Linux/Solaris. I'm > > > wonderding if there's something different it needs to do be doing on > > > FreeBSD. > > > > > > Thanks > > > > > > #ifdef HAVE_LIBWRAP > > > P(mutex); /* hosts_access is not thread safe */ > > > request_init(&request, RQ_DAEMON, my_name, RQ_FILE, newsockfd, > > > 0); > > > fromhost(&request); > > > if (!hosts_access(&request)) { > > > V(mutex); > > > Jmsg2(NULL, M_WARNING, 0, _("Connection from %s:%d refused > > > by hosts.access"), > > > inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port)); > > > close(newsockfd); > > > continue; > > > } > > > V(mutex); > > > #endif > > > > > > This seems okay to me. > > OpenSSH uses: > > struct request_info req; > > > > request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); > > fromhost(&req); > > > > if (!hosts_access(&req)) { > > debug("Connection refused by tcp wrapper"); > > refuse(&req); > > /* NOTREACHED */ > > fatal("libwrap refuse returns"); > > } > > > > I take it that newsockfd is the one returned from accept()? > > I'd try using a debug version of libwrap... > > I was speaking with dwhite on IRC about this. The application > (sysutils/bacula) has a hacked version of tcpd.h for use with C++. > This didn't have the #ifdef INET6 statements. So I patched that up. > But no difference in the results. > > If hosts.allow is going to deny access, the crash occurs: > http://beta.freebsddiary.org/tmp/bacula-fd-gbd.success.html > > If access is denied, this occurs: > http://beta.freebsddiary.org/tmp/bacula-fd-gbd.fails.html > > I haven't looked into libwrap yet, but in case someone sees something > obvious, I've posted the above. Well, we've tracked it down to one set of allow statements. The server is at 192.168.0.56 (undef.unixathome.org). The daemon name is bast-fd. If we supply any one of these in /etc/hosts.allow, the crash does not occur. bast-fd : 192.168.0.0/255.255.255.0 : allow bast-fd : 192.168.0.0/255.255.255.0 : deny bast-fd : undef.unixathome.org : allow bast-fd : undef.unixathome.org : deny bast-fd : 192.168.0.56 : allow With this, the crash occurs: bast-fd : undef.blah.blah : allow This is how to make it crash: $ telnet bast 9102 Trying 192.168.0.21... Connected to bast.unixathome.org. Escape character is '^]'. You are not welcome to use bast-fd from undef.unixathome.org. Connection closed by foreign host. Also, if the first call the hosts_access succeeds, then all subequent calls will suceed. I actually have to restart the daemon, and then have a deny condition in hosts.allow in order for the hosts_access call to bomb. Any ideas? -- Dan Langille : http://www.langille.org/