Date: Thu, 11 Mar 1999 14:36:52 -0500 From: James FitzGibbon <james@ehlo.com> To: Dima Ruban <dima@best.net> Cc: James FitzGibbon <jfitz@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/security/portmap_tcpd - Imported sources Message-ID: <19990311143652.A60155@ehlo.com> In-Reply-To: <199903111711.JAA62227@burka.rdy.com>; from Dima Ruban on Thu, Mar 11, 1999 at 09:11:20AM -0800 References: <199903111657.IAA17609@freefall.freebsd.org> <199903111711.JAA62227@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Dima Ruban (dima@best.net) [990311 13:15]: > James FitzGibbon writes: > > jfitz 1999/03/11 08:57:25 PST > > > > ports/security/portmap_tcpd - Imported sources > > Update of /home/ncvs/ports/security/portmap_tcpd > > In directory freefall.freebsd.org:/d/users/jfitz/portmap > > > > Log Message: > > Import of Wietse Venema's portmapper replacement. This uses libwrap to store access control for the portmapper in hosts.allow/hosts.deny > > > > I was under impression that we have exactly this portmapper in the main > source tree. All you need to do is to add -DHOSTS_ACCESS and compile it with > libwrap. Damn, I should have checked that before proceeding. I read the manpage for portmap and found no mention of access control, but didn't think to check the source. I have to wonder what the point of having it in there without any documentation is though. We don't have libwrap in the main source tree, so to get the "protected" portmapper, you have to install, then install libwrap, then re-make the portmapper. "-DHOSTS_ACCESS" is even commented out in the Makefile for portmap. The problem I see with "optional" features like this is that it requires the user to remember to make local changes to the source tree before they make world. If they forget to do that, they end up with the non-protected version of portmap, which left unnoticed could represent a security risk. Any ideas as to how best to handle this ? I can easily remove the port (actually, at this point it makes more sense to just have one of the repository masters nuke it entirely), but it doesn't make it any easier for users to get a copy of portmap linked against libwrap. -- j. James FitzGibbon james@ehlo.com EHLO Solutions Voice/Fax (416)410-0100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990311143652.A60155>