bin/155985: tcpd does not perform a access-control

[HIROSHI OOTA]

>Number:         155985
>Category:       bin
>Synopsis:       tcpd does not perform a access-control
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 28 06:40:12 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     HIROSHI OOTA
>Release:        9-current
>Organization:
>Environment:
FreeBSD XXX 9.0-CURRENT FreeBSD 9.0-CURRENT #133 r219891M: Wed Mar 23 08:56:43 JST  2011     root@ amd64
>Description:
tcpd does not perform a access-control.  access-control table (/etc/hosts.allow) is always ignored.

I wrote 
ALL : ALL : deny
at the head of/etc/hosts.allow. Tcpd ignores this description and permits a connecting. 
>How-To-Repeat:
/etc/hosts.allow
ALL : ALL : deny
/etc/inetd.conf
ftp    stream  tcp     nowait  root    /usr/libexec/tcdp /usr/libexec/ftpd -l

# /etc/rc.d/inetd reload
# ftp localhost

>Fix:
To enable access-control facility, tcpd should be compiled with -DHOSTS_ACCESS flag.
Add  -DHOSTS_ACCESS to /usr/src/libexec/tcpd/Makefile.

The code fragment of this problem is the following. 
/usr/src/contrib/tcp_wrappers/tcpd.c:
   112      /*
   113       * Check whether this host can access the service in argv[0]. The
   114       * access-control code invokes optional shell commands as specified in
   115       * the access-control tables.
   116       */
   117
   118  #ifdef HOSTS_ACCESS
   119      if (!hosts_access(&request))
   120          refuse(&request);
   121  #endif

>Release-Note:
>Audit-Trail:
>Unformatted: