oss-sec mailing list archives

Re: Re: Some fun with tcp_wrappers


From: Tomas Hoger <thoger () redhat com>
Date: Wed, 15 Apr 2009 19:58:30 +0200

On Wed, 15 Apr 2009 10:58:54 -0400 (EDT) wietse () porcupine org (Wietse
Venema) wrote:

STRING_UNKNOWN is valid argument expected to be passed to hosts_ctl.
That description does not seem to be too clear to indicate that when
one uses hosts_ctl as:

  hosts_ctl(svcname, STRING_UNKNOWN, client_addr, STRING_UNKNOWN)

all hostname-based rules are ignored.  It seems those using
hosts_ctl do not always realize that.

That behavior is not what I implemented. It must have been introduced
by someone else.

[ .. ]

As you see, my own code does not ignore hostname rules when
the hostname is "unknown".

Your examples work as the hostname used in hosts.{allow,deny} is
"unknown", but it should not work for any other hostname.  Can you try
this:

$ getent hosts 127.0.0.1
127.0.0.1       localhost

$ cat hosts.allow hosts.deny
foobar: localhost
foobar: ALL: DENY
cat: hosts.deny: No such file or directory

$ ./test-hostsctl -d foobar unknown 127.0.0.1 unknown
denied

(this is expected to be allowed)

$ cat hosts.allow hosts.deny
foobar: localhost: DENY
cat: hosts.deny: No such file or directory

$ ./test-hostsctl -d foobar unknown 127.0.0.1 unknown
allowed

(this is expected to be denied)

"test-hostsctl servicename unknown IP unknown" is what some
applications do expecting tcp_wrappers to resolve IP to hostname.

-- 
Tomas Hoger / Red Hat Security Response Team


Current thread: