Bug 12819
| Summary: | tcpd hosts.[allow|deny] location inconsistent | ||
|---|---|---|---|
| Product: | Base System | Reporter: | seth <seth> |
| Component: | bin | Assignee: | bill fumerola <billf> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 3.2-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->closed The tcpd program is not distributed with FreeBSD as part of the base system, since its functionality is built into inetd. It's part of the tcp_wrappers port, which you don't need on 3.2-STABLE. Update to a recent 3.2-STABLE and check the inetd(8) manpage. As an aside, please try to provide realistic Severity fields for your PR's. :-) Thanks, Sheldon. State Changed From-To: closed->open Not so fast. This is a serious problem for anyone running 3.2-RELEASE, especially someone upgrading to 3.2-RELEASE after running e.g. 3.1-RELEASE with the tcpwrappers port, since the system tcpd utilities will take precedence over the port (due to /usr/bin being before /usr/local/bin in PATH), and they read their configuration files from /etc instead of /usr/local/etc. At the very least, this PR warrants an addition to the errata list. Responsible Changed From-To: freebsd-bugs->billf The submitter is writing a patch for the errata which I will commit. I took the liberty of updating ERRATA.TXT. Here's the diff: [command: diff -c ERRATA.TXT ERRATA.NEW] *** ERRATA.TXT Mon Aug 2 23:15:51 1999 --- ERRATA.NEW Mon Aug 2 23:14:46 1999 *************** *** 24,30 **** ---- Security Advisories: ! Current active security advisories for 3.2: None ---- System Update Information: --- 24,49 ---- ---- Security Advisories: ! Current active security advisories for 3.2: + NOTE to users upgrading from an older version: + + If you are currently running tcpd from /usr/local/libexec, please + note that the addition of the userland tcpd utilities tcpdmatch + and tcpdchk into /sbin may result in false rule checking. These + utilities are necessary to support the wrapping-capable inetd. + The new inetd with wrapping expects hosts.allow and hosts.deny to + reside in /etc, NOT /usr/local/etc (which is where tcpd wants + them). + + If you wish to continue to use /usr/local/libexec/tcpd, please + ensure that you're using the userland tcpd utilities in + /usr/local/sbin. If you wish to use the wrapping functionality + available via inetd -w, please ensure that your hosts.allow and + hosts.deny files are available in /etc. + + ---- System Update Information: + + Seth Bromberger seth@interport.net State Changed From-To: open->closed ERRATA was updated, PR was never closed. |
>e 537: what tcpd tcpd: tcpd.c 1.10 96/02/11 17:01:32 patchlevel 7.6 97/03/21 19:27:23 /usr/sbin/tcpdmatch: tcpdmatch.c 1.5 96/02/11 17:01:36 fakelog.c 1.3 94/12/28 17:42:21 inetcf.c 1.7 97/02/12 02:13:23 scaffold.c 1.6 97/03/21 19:27:24 Description: tcpd uses access control files in /usr/local/etc. tcpdmatch (and tcpdchk) checks against files in /etc. Fix: Quick workaround is to symlink /usr/local/etc/hosts.[allow|deny] to /etc. Long-term fix would require changes to tcpd or tcpdmatch/tcpdchk. How-To-Repeat: create hosts.[allow|deny] in /etc. run tcpdmatch against them, and watch the rules be processed/listed correctly. Then try exercising the rules via tcpd. No rules will be processed.