Date: Wed, 28 Jul 1999 13:17:26 -0400 (EDT) From: Seth <seth@freebie.dp.ny.frb.org> To: Yiorgos Adamopoulos <adamo@dblab.ece.ntua.gr> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: tcpd, inetd, and hosts.[allow|deny] Message-ID: <Pine.BSF.4.10.9907281307570.2887-100000@freebie.dp.ny.frb.org> In-Reply-To: <19990728200259.A60026@dblab.ece.ntua.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Jul 1999, Yiorgos Adamopoulos wrote:
> Peculiar though it may seem, I would call this expected behaviour. Why?
>
> tcpd is installed from /usr/ports/security/tcp_wrappers right? So it uses
> /usr/local/etc/hosts.{allow,deny} and /usr/local/sbin/tcpdmatch is installed
> *with* tcpd from the ports collection.
>
> OTOH, /usr/sbin/tcpdmatch in installed on the *system* (read make World) and
> checks /etc/hosts.{allow,deny} since this is what the tcp_wrappers aware inetd
> uses (and you need a tcpdmatch to check these, right?).
>
> But if you have tcpd capability in inetd, why do you now need to explicitly
> install tcpd? (That is if you run the FreeBSD inetd).
>
The issue is one of timing.
I agree that IF tcpd were part of the base install (in /usr/libexec, for
example), it would make sense (and there would be no need to use the
port). However, my first point was that prior to the introduction of the
wrapped inetd, tcpdmatch and tcpdcheck were provided -- WITHOUT an
accompanying tcpd -- in /usr/sbin. They originally checked
/usr/local/etc. Sometime between 3.1-RELEASE and 6/20 -STABLE, these
utilities were changed to check /etc as opposed to /usr/local/etc, and
thus could not have been expected to perform any useful function prior to
the inetd wrap of 7/21. What were they there for? All they did was
create confusion for many reasons; primary among them was the fact that
most people have /usr/sbin BEFORE /usr/local/sbin in their paths and thus
were executing the wrong version of tcpdmatch... the version that wouldn't
read the files that tcpd was reading.
With the introduction of inetd wrapping, the /usr/sbin/tcpd* utilities
serve their intended purpose, since they check /etc, which is where inetd
expects the rules. My second point was that the move from a
locally-installed tcpd to the wrapped inetd was not seamless from an
administrative point of view. The access files must be moved from
/usr/local/etc to /etc in order for a default wrapped inetd config to
access them. Any administrator who relied on wrapping and who made the
change to inetd to enable wrapping but did not move their rules files
actually defeated his own security measures. That's a scenario that
didn't get much airtime, and the point of my last post was to make people
aware of the issues involved.
SB
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907281307570.2887-100000>