src/libexec/tcpd doesn't work correctly with -DPROCESS_OPTIONS
Vincent Poy
vince at oahu.WURLDLINK.NET
Sat Jul 5 13:47:38 PDT 2003
On Sat, 5 Jul 2003, Vincent Poy wrote:
> On Sat, 5 Jul 2003, Scot W. Hetzel wrote:
>
> > From: "Vincent Poy" <vince at oahu.WURLDLINK.NET>
> > > Any ideas?
> > >
> > >
> > According to the inetd man page:
> >
> > TCP Wrappers
> > When given the -w option, inetd will wrap all services specified as
> > ``stream nowait'' or ``dgram'' except for ``internal'' services. If
> > the
> > -W option is given, such ``internal'' services will be wrapped. If
> > both
> > options are given, wrapping for both internal and external services
> > will
> > be enabled. Either wrapping option will cause failed connections to be
> > logged to the ``auth'' syslog facility. Adding the -l flag to the
> > wrap-
> > ping options will include successful connections in the logging to the
> > ``auth'' facility.
> > :
> > When wrapping is enabled, the tcpd daemon is not required, as that
> > func-
> > tionality is builtin. .....
> >
> > Also, /etc/defaults/rc.conf shows that inetd_flags has both '-w' and '-W'
> > flags set. If you are using the default flags to inetd, then you don't need
> > to use tcpd to wrap your telnetd session.
> >
> > Did you change your inetd_flags?
>
> Nope, I have the -wW by default. I never knew inetd had builtin
> wrappers but in that case, then it might be better but I remembered
> tcp_wrappers was implemented into the base system and I thought it was in
> tcpd since that binary is part of the world build process installation.
>
> > I just tested the bultin tcp_wrappers in inetd, and had no problem with
> > adding a banner to my ftpd and telnetd daemons without using the tcpd
> > daemon. But, when I changed the service to:
> >
> > ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l
> >
> > and then killed -HUP the inetd process, the inetd process wanted the banner
> > file to be called 'tcpd' instead of 'ftpd'.
>
> Actually, it's working correctly for me with the ftpd name. This
> is my /etc/inetd.conf for the ftpd line:
>
> ftp stream tcp nowait root /usr/libexec/ftpd /usr/libexec/ftpd -l
>
> This is what the hosts.allow line looks like:
>
> telnetd,ftpd,rshd,rlogind : 208.201.244. : rfc931 : banners /etc/banners
>
> This is my /etc/banners listing:
>
> root at bigbang [1:33pm][/usr/local/sbin] >> dir /etc/banners
> total 38
> drwxr-xr-x 3 root wheel - 512 Sep 7 2002 .
> drwxr-xr-x 18 root wheel - 3072 Jul 5 11:59 ..
> -rw-r--r-- 1 root wheel - 2026 Dec 12 1996 Makefile
> drwxr-xr-x 2 root wheel - 512 Sep 6 2002 deny
> -rw-r--r-- 1 root wheel - 712 Sep 6 2002 deny.telnetd
> -rw-r--r-- 1 root wheel - 219 Sep 6 2002 fingerd
> -rw-r--r-- 1 root wheel - 215 Dec 15 1996 fingerd.bak
> -rw-r--r-- 1 root wheel - 1289 Dec 13 1996 fingerd.old
> -rw-r--r-- 1 root wheel - 634 Sep 6 2002 ftpd
> -rwxr-xr-x 1 root wheel - 8192 Dec 12 1996 nul
> -rw-r--r-- 1 root wheel - 582 Sep 6 2002 prototype
> -rw-r--r-- 1 root wheel - 1289 Dec 16 1996 prototype.old
> -rw-r--r-- 1 root wheel - 0 Sep 6 2002 rlogind
> -rw-r--r-- 1 root wheel - 582 Sep 6 2002 rshd
> -rw-r--r-- 1 root wheel - 557 Sep 7 2002 sshd
> -rw-r--r-- 1 root wheel - 582 Sep 6 2002 telnetd
>
> The only thing is that for IPs not defined, it would go straight
> to the ftp login prompt and not deny access, I thought deny was default
> for anything not defined?
>
> > I also killed inetd, and started it with no flags. But when I connected to
> > the ftpd process, tcpd didn't display the banner (both tcpd and ftpd banner
> > files were installed into the banner directory).
>
> Yep, same here.
>
> > So it looks like tcpd is broken when it comes to displaying banners.
>
> So it wasn't my imagination. :-) I wonder if there is actually
> any differences between the tcp_wrappers in inetd and the one in tcpd or
> is the inetd just the tcpd stuff all intergrated and improved.
>
> > I suggest you use inetd's builtin TCP Wrappers support, and forget using
> > tcpd.
>
> That's a good idea since I probably won't remember to fix tcpd if
> there is a fix on each cvsup and then buildworld.
>
> > Scot
Here is something weird... In /etc/hosts.allow, I added the
following line:
ALL : ALL : rfc931: banners /etc/banners/deny : deny
So I attempted to ftp and this is what happens.
Connected to bigbang.DNALOGIC.NET.
[unknown at adsl-208-201-244-226.sonic.net] Sorry but you currently do not
have pe
rmission to connect here!
User (bigbang.DNALOGIC.NET:(none)): ^C
C:\Documents and Settings\vince>ftp bigbang
Connected to bigbang.DNALOGIC.NET.
[unknown at adsl-208-201-244-226.sonic.net] Sorry but you currently do not
have pe
rmission to connect here!
User (bigbang.DNALOGIC.NET:(none)): vince
________ _____ _________ ______ _______ __________________________
___ __ \___ | / /___ |___ / __ __ \__ ____/____ _/__ ____/
__ / / /__ |/ / __ /| |__ / _ / / /_ / __ __ / _ /
_ /_/ / _ /| / _ ___ |_ /___/ /_/ / / /_/ / __/ / / /___
/_____/ /_/ |_/ /_/ |_|/_____/\____/ \____/ /___/ \____/
.NET
[ bigbang.DNALOGIC.NET ]
DNA Logic Corporation - http://www.DNALOGIC.NET
San Francisco, California USA
For assistance or information please e-mail root at bigbang.DNALOGIC.NET
Connection closed by remote host.
The telnet one works correct but the ftpd one seems to display the
first line of the /etc/banners/deny/ftpd and then prompt for the login
which is will deny before displaying the rest of the banner.
Cheers,
Vince - vince at WURLDLINK.NET - Vice President ________ __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
WurldLink Corporation / / / / | / | __] ]
San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1 at IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
More information about the freebsd-current
mailing list