Bug 1181815
| Summary: | RFE: Add aclexec patch to make it possible to use custom ACL scripts with tcp_wrappers services | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pasi Karkkainen <pasik> | ||||
| Component: | tcp_wrappers | Assignee: | Jakub Jelen <jjelen> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | jjelen, pasik, pjcreath+bugzilla, plautrba | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | tcp_wrappers-7.6-80.fc23 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-02-23 09:18:17 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Pasi Karkkainen
2015-01-13 20:00:08 UTC
Created attachment 985141 [details] Proposed dist git patch I used Debian patch: http://anonscm.debian.org/cgit/users/md/tcp-wrappers.git/commit/?h=patch-queue/master&id=51e7d82c0b6abf9cfaaccaeda185e6eeda05539b After applying patch to our sources and defining -DACLEXEC for build, and resolving some issues I managed to update patch (see attached) and create scratch build [1]. Pasi, can you have a look at this package if it does what is intended? It works for me on rawhide. [1] http://koji.fedoraproject.org/koji/taskinfo?taskID=8750977 Great, thanks! I should be able to test it next week. I'll report back then. Hmm, it seems the rpms for the patched version are not available anymore: For example: https://kojipkgs.fedoraproject.org//work/tasks/978/8750978/tcp_wrappers-7.6-79.fc22.src.rpm : You don't have permission to access /work/tasks/978/8750978/tcp_wrappers-7.6-79.fc22.src.rpm on this server.
I built a local custom rpm on f21 based on tcp_wrappers-7.6-79.fc22.src.rpm and the patch from attachment 985141 [details] (linked above).
I tested the self-built aclexec-patched binary rpms on Fedora 21, and it seems to work OK for me.
Simple test-case setup was like this:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
sshd: ALL : aclexec /usr/local/bin/acltest.sh %a
/usr/local/bin/acltest.sh :
#!/bin/bash
exit 0
Logging in via ssh works OK with the above settings. When I change the "acltest.sh" script to "exit 1" all ssh connections are refused with the following entry in /var/log/secure:
Feb 22 22:07:17 f21test01 sshd[2363]: aclexec returned 1
Feb 22 22:07:17 f21test01 sshd[2363]: refused connect from 192.168.122.1 (192.168.122.1)
I also verified $1 parameter for the "acltest.sh" script is the actual IP of the connecting client.
So it seems to work OK for me. So i'm hoping this patch will make it to F22.
Thanks a lot!
Thanks for response and testing. Pushing into rawhide and f22. Now that this has soaked for 2 years, is there any chance this patch could get applied to RHEL7? We'd love this capability for our servers. Peter, the RHEL7 bug for this feature is bug #1212380, which describes why this functionality was not added in RHEL7. Adding it now sounds very unlikely, since we plan to deprecate this functionality in close future. See the discussion thread on fedora-devel/fedora-users: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2IBVP66BM6HUZVRTFIVURNZUR2XSUMOD/ |