From owner-freebsd-stable  Wed Jul 28 10:42:14 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32])
	by hub.freebsd.org (Postfix) with ESMTP id 0632715033
	for <freebsd-stable@FreeBSD.ORG>; Wed, 28 Jul 1999 10:42:10 -0700 (PDT)
	(envelope-from seth@freebie.dp.ny.frb.org)
Received: by fed-ef1.frb.gov; id NAA26805; Wed, 28 Jul 1999 13:42:09 -0400 (EDT)
Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2)
	id xma026626; Wed, 28 Jul 99 13:41:57 -0400
Date: Wed, 28 Jul 1999 13:41:52 -0400 (EDT)
From: Seth <seth@freebie.dp.ny.frb.org>
Subject: Re: tcpd, inetd, and hosts.[allow|deny]
In-reply-to: <19990728202954.A75107@dblab.ece.ntua.gr>
To: Yiorgos Adamopoulos <adamo@dblab.ece.ntua.gr>
Cc: freebsd-stable@FreeBSD.ORG
Message-id: <Pine.BSF.4.10.9907281334220.3008-100000@freebie.dp.ny.frb.org>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Wed, 28 Jul 1999, Yiorgos Adamopoulos wrote:

> On Wed, Jul 28, 1999 at 01:17:26PM -0400, Seth wrote:
> > administrative point of view.  The access files must be moved from
> > /usr/local/etc to /etc in order for a default wrapped inetd config to
> > access them.  Any administrator who relied on wrapping and who made the
> 
> Now this is where I disagree.  The default /etc/hosts.allow allows every
> connection.  Which is OK, since if you cut-n-paste your old inetd.conf tcpd
> wrapped lines, inetd will execute tcpd, who (tcpd) will check
> /usr/local/etc/hosts.{allow,deny} which will do what the administrator expects.
> 

Not sure I follow you.  Assume for a moment that you've been using the
tcpd package and have created a custom /usr/local/etc/hosts.deny to
filter, say, ftp attempts from some domain.  Ignore for the moment that
the tcpdmatch that comes with FreeBSD base distributions past some point
in time after 3.1-R  won't check these files by default (my first
original point). Your tcpd, installed as /usr/local/libexec/tcpd, works
fine with your /usr/local/etc/hosts.deny.

You've now made world using post-7/12 sources and decided to use this new
feature -- wrapping from inetd -- as opposed to tcpd.  Hey, why use an
external program when inetd is more than happy to do it for you?  You
remove all the references to /usr/local/libexec/tcpd from your 
/etc/inetd.conf, and restart inetd with -w.

You're now vulnerable to all the access attempts you were protecting
before you converted to wrapped inetd, since the wrapped inetd looks
in /etc for the access files.  Since yours are still in /usr/local/etc,
you're wide open until you move them.

SB



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message