From owner-freebsd-bugs  Tue Jul 27  9:26:38 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from axl.noc.iafrica.com (axl.noc.iafrica.com [196.31.1.175])
	by hub.freebsd.org (Postfix) with ESMTP id CED0914D15
	for <freebsd-bugs@freebsd.org>; Tue, 27 Jul 1999 09:26:24 -0700 (PDT)
	(envelope-from sheldonh@axl.noc.iafrica.com)
Received: from sheldonh (helo=axl.noc.iafrica.com)
	by axl.noc.iafrica.com with local-esmtp (Exim 3.02 #1)
	id 119A3D-0006Up-00; Tue, 27 Jul 1999 18:25:59 +0200
From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Seth <seth@freebie.dp.ny.frb.org>
Cc: freebsd-bugs@FreeBSD.org
Subject: Re: bin/12819: tcpd hosts.[allow|deny] location inconsistent 
In-reply-to: Your message of "Tue, 27 Jul 1999 11:00:50 -0400."
             <Pine.BSF.4.10.9907271054530.4341-100000@freebie.dp.ny.frb.org> 
Date: Tue, 27 Jul 1999 18:25:59 +0200
Message-ID: <24974.933092759@axl.noc.iafrica.com>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Tue, 27 Jul 1999 11:00:50 -0400, Seth wrote:

> I have to object, however, to the implication that I misclassified the
> severity of this problem.

I can see where you're coming from, but...

> In my opinion, if your standard tests (tcpdmatch, etc.) tell you
> that your system is denying certain connections, when in fact these
> connections are being allowed, you've got a pretty serious security
> issue.

If you have a legacy tcpd installed, then tcpd is run out of the wrapped
inetd. The default /etc/hosts.allow allows _everything_. Therefore, the
base system's tcpdmatch will tell you that _anything_ is allowed. It's
only once you start meddling with /etc/hosts.allow that this may change.
Once you've meddled with it, you know it's there and you worry. :-)

> Finally, if you go through my previous send-pr's, I think you'll find that
> I've always erred on the conservative side when estimating the level of
> severity.  I hope you'll agree after reading this that the classification
> I submitted was, in retrospect, a fair one.

Nope, but I can see why you thought it was severe. I do want to make
it clear that I didn't mean "you are in the habit of selecting poor
Severity levels". I didn't look at your PR history at all.

> Thanks again for looking at this issue so quickly.  Is there a fix for
> it?

The integration of tcp_wrappers into the base system was fairly well
documented and announced. The only thing that's unfortunate is that the
release notes don't reference the inetd(8) manpage and said manpage
should be cross-referenced in the hosts_access(5) manpage.

I'll take care of that.

Ciao,
Sheldon.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message