Bug 91555
| Summary: | xinetd and libwrap - refusing connections that should be accepted ... | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Guðmundur D. H. <gdh> |
| Component: | xinetd | Assignee: | Jay Fenlason <fenlason> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | gdh, jfeeney |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-12-12 08:49:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Ok, this ain't bound to the time service - i've seen it with amanda too. If I change /etc/hosts.allow to say "time: 192.168.48.", it lets me in. This makes me suspect
xinetd is using the wrong service name when it's querying libwrap.
gdh: can you attach the hosts.{allow,deny} and /etc/xinetd.d/am* files that replicate
this problem?
Yei, same thing here, the "time: X.X.X.X" line works for me, thanks! :)
Now, the amanda thing...
/etc/xinet.d/amanda:
service amanda
{
socket_type = dgram
protocol = udp
wait = yes
user = amanda
group = disk
server = /usr/lib/amanda/amandad
disable = no
}
/etc/hosts.deny:
ALL: ALL,PARANOID
/etc/hosts.allow:
amanda: 194.144.184.,194.144.185.
amandaidx: 194.144.184., 194.144.185. # Just
Also I've used "amanda: ALL" and "amandaidx: ALL" in hosts.allow, and xinetd
refused all connections to the amanda service.
/var/log/secure:
Aug 3 14:38:49 backup xinetd[30625]: START: amanda pid=31234 from=194.144.184.1
Aug 3 14:38:49 backup xinetd[31234]: FAIL: amanda libwrap from=194.144.184.1
--
The same thing happens with xinetd-2.3.7-2, perhaps i'm doing something wrong here?
I've built xinetd-2.3.12-1.10.0 in Raw Hide. I don't know if the binary RPM
will run on Red Hat Linux 8.0, but you can certainly download the SRPM and
rpmbuild --rebuild it.
I included the slightly-post-2.3.12 patch that implements a "libwrap"
paramater for services, so you can explicitly give the service name to look
for in etc/hosts.{deny,allow}. Since the problem here seems to be that xinetd
isn't using the service name we expect, the improved documentation (the
description of the libwrap parameter says how xinetd chooses service names if
it's not included) and the ability to make xinetd do what we want should allow
us to close this bug. Comments?
I'm setting this bug to MODIFIED. If I don't hear any complaints, I'll
probably close this bug the next time I make a pass through the xinetd bug
list.
I'm checking this out, will comment on it in the next few days. But there is one missing depenency in the xinetd package which I got from rawhide; libtool is missing as a build requirement. Jei :) I fetched the RPM from Raw Hide, compiled it (disabled the pie patch since my gcc doesn't support -fpie) and installed it. Now amanda is working currectly, thanks to the changes which causes xinetd to log the string which is used as a service-id to libwrap to the messages log. Still, I'd think it is 'more correct' to have this logged to the secure log. But anyway, thanks a lot! :) |
Description of problem: After updating xinetd to version 2.3.11-1.8.0, connections to the time service do not work as they did before (!). This is probably a regression, since the configfiles (/etc/xinet.d/time & /etc/hosts.{allow|deny}) did not change in or after the update and the service did work fine before. What happens is that when I make a connection to the service I get thrown out again and this gets logged by syslog: xinetd[7393]: libwrap refused connection to time-stream from 192.168.0.3 The configfiles: /etc/hosts.deny: ALL: ALL, PARANOID /etc/hosts.allow: time-stream: 192.168.0. /etc/xinet.d/time: service time { disable = no type = INTERNAL id = time-stream socket_type = stream protocol = tcp user = root wait = no } I've tried to modify the config to get this to work, but only with success if I remove the ALL: ALL line from hosts.deny. If I use time-server: ALL,PARANOID and keep the hosts.allow just as it is, everything is OK. Any suggestions?