Bug 1212380 - RFE: Add aclexec patch to make it possible to use custom ACL scripts with tcp_wrappers services
Summary: RFE: Add aclexec patch to make it possible to use custom ACL scripts with tcp...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tcp_wrappers
Version: 7.2
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-16 09:51 UTC by Pasi Karkkainen
Modified: 2018-01-09 14:48 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-09 14:48:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Pasi Karkkainen 2015-04-16 09:51:08 UTC 
Description of problem:

Debian/Ubuntu has had support for "aclexec" option in /etc/hosts.allow and/or /etc/hosts.deny in tcp_wrappers via a custom patch since 2006.

Fedora 22 recently added support for "aclexec" aswell:
https://bugzilla.redhat.com/show_bug.cgi?id=1181815

That option is very handy for being able to integrate custom user provided ACL scripts for controlling access to services. 

An example how one might use "aclexec" in "/etc/hosts.allow":

servicename: ALL: aclexec /usr/local/bin/aclfilter.sh %a

if "aclfilter.sh" returns TRUE for the connecting IP then access is allowed, but if it returns FALSE access is denied. Very handy for integrating DNS RBL's and other IP databases via custom scripts.

Version-Release number of selected component (if applicable):
tcp_wrappers-7.6-77.el7

Actual results:
RHEL7 doesn't provide support for the aclexec option today.

Expected results:
RHEL7 provides support for aclexec option, like Fedora 22, Debian and Ubuntu do.


Additional info:

"aclexec" patch which was added to F22 tcp_wrappers rpms:
http://anonscm.debian.org/cgit/users/md/tcp-wrappers.git/commit/?h=patch-queue/master&id=51e7d82c0b6abf9cfaaccaeda185e6eeda05539b


Debian tcp_wrappers changelog:
http://archive.debian.net/changelogs/pool/main/t/tcp-wrappers/current/changelog.html

which contains an entry from 2006:
"New patch aclexec: adds the aclexec command and its documentation".


Documentation about aclexec:
http://manpages.ubuntu.com/manpages/trusty/man5/hosts_options.5.html

RUNNING OTHER COMMANDS

       aclexec shell_command
              Execute,  in a child process, the specified shell command, after
              performing   the   %<letter>   expansions   described   in   the
              hosts_access(5)  manual  page.   The  command  is  executed with
              stdin, stdout and stderr connected to the null device,  so  that
              it won't mess up the conversation with the client host. Example:

                 smtp : ALL : aclexec checkdnsbl %a

              executes,  in  a  background  child  process,  the shell command
              "checkdnsbl %a" after replacing %a by the address of the  remote
              host.

              The  connection  will be allowed or refused depending on whether
              the command returns a true or false exit status.
Comment 2 Jakub Jelen 2015-04-16 12:18:22 UTC 
Hi Pasi,
I am pleased that you are interested to see this feature also in RHEL, but as stated many times, this bug tracking system is not a support tool and changes, especially feature requests, needs to go through support process.
If you have use case for this feature, please raise a ticket through your regular support to make sure it receives proper attention and prioritization.
Comment 3 Red Hat Bugzilla Rules Engine 2018-01-09 14:48:18 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Note You need to log in before you can comment on or make changes to this bug.