Bug 91555 - xinetd and libwrap - refusing connections that should be accepted ...
xinetd and libwrap - refusing connections that should be accepted ...
Product: Red Hat Linux
Classification: Retired
Component: xinetd (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jay Fenlason
Brock Organ
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-05-23 19:37 EDT by Guðmundur D. H.
Modified: 2014-08-31 19:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-12 03:49:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Guðmundur D. H. 2003-05-23 19:37:32 EDT
Description of problem:
After updating xinetd to version 2.3.11-1.8.0, connections to the time service
do not work as they did before (!).

This is probably a regression, since the configfiles (/etc/xinet.d/time &
/etc/hosts.{allow|deny}) did not change in or after the update and the service
did work fine before.

What happens is that when I make a connection to the service I get thrown out
again and this gets logged by syslog:

xinetd[7393]: libwrap refused connection to time-stream from

The configfiles:

time-stream: 192.168.0.

service time
	disable	= no
	type		= INTERNAL
	id		= time-stream
	socket_type	= stream
	protocol	= tcp
	user		= root
	wait		= no

I've tried to modify the config to get this to work, but only with success if I
remove the ALL: ALL line from hosts.deny. If I use time-server: ALL,PARANOID and
keep the hosts.allow just as it is, everything is OK.

Any suggestions?
Comment 1 Guðmundur D. H. 2003-06-13 15:08:10 EDT
Ok, this ain't bound to the time service - i've seen it with amanda too.
Comment 2 Jay Fenlason 2003-08-01 16:29:48 EDT
If I change /etc/hosts.allow to say "time: 192.168.48.", it lets me in.  This makes me suspect 
xinetd is using the wrong service name when it's querying libwrap. 
gdh@simnet.is: can you attach the hosts.{allow,deny} and /etc/xinetd.d/am* files that replicate 
this problem? 
Comment 3 Guðmundur D. H. 2003-08-03 11:01:47 EDT
Yei, same thing here, the "time: X.X.X.X" line works for me, thanks! :)

Now, the amanda thing...


service amanda
	socket_type		= dgram
	protocol		= udp
	wait			= yes
	user			= amanda
	group			= disk
	server			= /usr/lib/amanda/amandad 
	disable			= no




amanda: 194.144.184.,194.144.185.
amandaidx: 194.144.184., 194.144.185. # Just 

Also I've used "amanda: ALL" and "amandaidx: ALL" in hosts.allow, and xinetd
refused all connections to the amanda service. 

Aug  3 14:38:49 backup xinetd[30625]: START: amanda pid=31234 from=
Aug  3 14:38:49 backup xinetd[31234]: FAIL: amanda libwrap from=


The same thing happens with xinetd-2.3.7-2, perhaps i'm doing something wrong here?
Comment 4 Jay Fenlason 2003-08-11 13:02:55 EDT
I've built xinetd-2.3.12-1.10.0 in Raw Hide.  I don't know if the binary RPM 
will run on Red Hat Linux 8.0, but you can certainly download the SRPM and 
rpmbuild --rebuild it. 
I included the slightly-post-2.3.12 patch that implements a "libwrap" 
paramater for services, so you can explicitly give the service name to look 
for in etc/hosts.{deny,allow}.  Since the problem here seems to be that xinetd 
isn't using the service name we expect, the improved documentation (the 
description of the libwrap parameter says how xinetd chooses service names if 
it's not included) and the ability to make xinetd do what we want should allow 
us to close this bug.  Comments? 
I'm setting this bug to MODIFIED.  If I don't hear any complaints, I'll 
probably close this bug the next time I make a pass through the xinetd bug 
Comment 5 Guðmundur D. H. 2003-08-15 14:09:39 EDT
I'm checking this out, will comment on it in the next few days.

But there is one missing depenency in the xinetd package which I got from
rawhide; libtool is missing as a build requirement.
Comment 6 Guðmundur D. H. 2003-08-15 15:16:00 EDT
Jei :)

I fetched the RPM from Raw Hide, compiled it (disabled the pie patch since my
gcc doesn't support -fpie) and installed it. 

Now amanda is working currectly, thanks to the changes which causes xinetd to
log the string which is used as a service-id to libwrap to the messages log.
Still, I'd think it is 'more correct' to have this logged to the secure log.

But anyway, thanks a lot! :)

Note You need to log in before you can comment on or make changes to this bug.