Bug 157053

Summary: Picky: Slightly more info in /etc/hosts.allow and /etc/hosts.deny
Product: Red Hat Enterprise Linux 4 Reporter: David Tonhofer <bughunt>
Component: setupAssignee: Phil Knirsch <pknirsch>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: john.horne, rvokal, shillman, tjanouse
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0130 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 12:30:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
this is the patch for setup in fedora devel none

Description David Tonhofer 2005-05-06 14:32:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707

Description of problem:
Update the files /etc/hosts.allow and /etc/hosts.deny with additional hints:

Old:
====

#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#

Better:
=======

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#                 for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#

Old:
====

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

Better:
========

#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#                 for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#



Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-37.2

How reproducible:
Always

Steps to Reproduce:
n/a
  

Actual Results:  n/a

Expected Results:  n/a

Additional info:

n/a

Comment 2 John Horne 2006-01-20 13:22:07 UTC
Can I add that the hosts.deny file contains the comment line:

  # The portmap line is redundant, but it is left to remind you that

I have just installed RHEL4 (update 2) and the hosts.deny file contains no
portmap line at all. As such the comment line is confusing. My server has
portmap installed but not nfs, perhaps a portmap line is added only if nfs is
installed?



John.

Comment 5 Tomas Janousek 2007-05-24 11:25:29 UTC
Ouch. The files are not owned by tcp_wrappers at all. Reassigning, clearing
flags, etc. Sorry.

Comment 6 Tomas Janousek 2007-05-24 11:27:17 UTC
Created attachment 155333 [details]
this is the patch for setup in fedora devel

Here's the patch. I think it should go upstream first, though.

Comment 8 Phil Knirsch 2008-02-22 16:36:39 UTC
Suggesting for RHEL-4.8, granting Devel ACK.

Read ya, Phil

Comment 9 Phil Knirsch 2008-02-22 17:05:26 UTC
Still in RHEL-4.7 planing, so reflagging for RHEL-4.7

Read ya, Phil

Comment 10 RHEL Program Management 2008-02-22 17:08:37 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 16 errata-xmlrpc 2008-03-05 12:30:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0130.html