Bug 91555
Summary: | xinetd and libwrap - refusing connections that should be accepted ... | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Guðmundur D. H. <gdh> |
Component: | xinetd | Assignee: | Jay Fenlason <fenlason> |
Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | gdh, jfeeney |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-12-12 08:49:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Guðmundur D. H.
2003-05-23 23:37:32 UTC
Ok, this ain't bound to the time service - i've seen it with amanda too. If I change /etc/hosts.allow to say "time: 192.168.48.", it lets me in. This makes me suspect xinetd is using the wrong service name when it's querying libwrap. gdh: can you attach the hosts.{allow,deny} and /etc/xinetd.d/am* files that replicate this problem? Yei, same thing here, the "time: X.X.X.X" line works for me, thanks! :) Now, the amanda thing... /etc/xinet.d/amanda: service amanda { socket_type = dgram protocol = udp wait = yes user = amanda group = disk server = /usr/lib/amanda/amandad disable = no } /etc/hosts.deny: ALL: ALL,PARANOID /etc/hosts.allow: amanda: 194.144.184.,194.144.185. amandaidx: 194.144.184., 194.144.185. # Just Also I've used "amanda: ALL" and "amandaidx: ALL" in hosts.allow, and xinetd refused all connections to the amanda service. /var/log/secure: Aug 3 14:38:49 backup xinetd[30625]: START: amanda pid=31234 from=194.144.184.1 Aug 3 14:38:49 backup xinetd[31234]: FAIL: amanda libwrap from=194.144.184.1 -- The same thing happens with xinetd-2.3.7-2, perhaps i'm doing something wrong here? I've built xinetd-2.3.12-1.10.0 in Raw Hide. I don't know if the binary RPM will run on Red Hat Linux 8.0, but you can certainly download the SRPM and rpmbuild --rebuild it. I included the slightly-post-2.3.12 patch that implements a "libwrap" paramater for services, so you can explicitly give the service name to look for in etc/hosts.{deny,allow}. Since the problem here seems to be that xinetd isn't using the service name we expect, the improved documentation (the description of the libwrap parameter says how xinetd chooses service names if it's not included) and the ability to make xinetd do what we want should allow us to close this bug. Comments? I'm setting this bug to MODIFIED. If I don't hear any complaints, I'll probably close this bug the next time I make a pass through the xinetd bug list. I'm checking this out, will comment on it in the next few days. But there is one missing depenency in the xinetd package which I got from rawhide; libtool is missing as a build requirement. Jei :) I fetched the RPM from Raw Hide, compiled it (disabled the pie patch since my gcc doesn't support -fpie) and installed it. Now amanda is working currectly, thanks to the changes which causes xinetd to log the string which is used as a service-id to libwrap to the messages log. Still, I'd think it is 'more correct' to have this logged to the secure log. But anyway, thanks a lot! :) |