Red Hat Bugzilla – Bug 91555
xinetd and libwrap - refusing connections that should be accepted ...
Last modified: 2014-08-31 19:25:04 EDT
Description of problem: After updating xinetd to version 2.3.11-1.8.0, connections to the time service do not work as they did before (!). This is probably a regression, since the configfiles (/etc/xinet.d/time & /etc/hosts.{allow|deny}) did not change in or after the update and the service did work fine before. What happens is that when I make a connection to the service I get thrown out again and this gets logged by syslog: xinetd[7393]: libwrap refused connection to time-stream from 192.168.0.3 The configfiles: /etc/hosts.deny: ALL: ALL, PARANOID /etc/hosts.allow: time-stream: 192.168.0. /etc/xinet.d/time: service time { disable = no type = INTERNAL id = time-stream socket_type = stream protocol = tcp user = root wait = no } I've tried to modify the config to get this to work, but only with success if I remove the ALL: ALL line from hosts.deny. If I use time-server: ALL,PARANOID and keep the hosts.allow just as it is, everything is OK. Any suggestions?
Ok, this ain't bound to the time service - i've seen it with amanda too.
If I change /etc/hosts.allow to say "time: 192.168.48.", it lets me in. This makes me suspect xinetd is using the wrong service name when it's querying libwrap. gdh@simnet.is: can you attach the hosts.{allow,deny} and /etc/xinetd.d/am* files that replicate this problem?
Yei, same thing here, the "time: X.X.X.X" line works for me, thanks! :) Now, the amanda thing... /etc/xinet.d/amanda: service amanda { socket_type = dgram protocol = udp wait = yes user = amanda group = disk server = /usr/lib/amanda/amandad disable = no } /etc/hosts.deny: ALL: ALL,PARANOID /etc/hosts.allow: amanda: 194.144.184.,194.144.185. amandaidx: 194.144.184., 194.144.185. # Just Also I've used "amanda: ALL" and "amandaidx: ALL" in hosts.allow, and xinetd refused all connections to the amanda service. /var/log/secure: Aug 3 14:38:49 backup xinetd[30625]: START: amanda pid=31234 from=194.144.184.1 Aug 3 14:38:49 backup xinetd[31234]: FAIL: amanda libwrap from=194.144.184.1 -- The same thing happens with xinetd-2.3.7-2, perhaps i'm doing something wrong here?
I've built xinetd-2.3.12-1.10.0 in Raw Hide. I don't know if the binary RPM will run on Red Hat Linux 8.0, but you can certainly download the SRPM and rpmbuild --rebuild it. I included the slightly-post-2.3.12 patch that implements a "libwrap" paramater for services, so you can explicitly give the service name to look for in etc/hosts.{deny,allow}. Since the problem here seems to be that xinetd isn't using the service name we expect, the improved documentation (the description of the libwrap parameter says how xinetd chooses service names if it's not included) and the ability to make xinetd do what we want should allow us to close this bug. Comments? I'm setting this bug to MODIFIED. If I don't hear any complaints, I'll probably close this bug the next time I make a pass through the xinetd bug list.
I'm checking this out, will comment on it in the next few days. But there is one missing depenency in the xinetd package which I got from rawhide; libtool is missing as a build requirement.
Jei :) I fetched the RPM from Raw Hide, compiled it (disabled the pie patch since my gcc doesn't support -fpie) and installed it. Now amanda is working currectly, thanks to the changes which causes xinetd to log the string which is used as a service-id to libwrap to the messages log. Still, I'd think it is 'more correct' to have this logged to the secure log. But anyway, thanks a lot! :)