Re: src/libexec/tcpd doesn't work correctly with -DPROCESS_OPTIONS

From: Vincent Poy <vince_at_oahu.WURLDLINK.NET>
Date: Sat, 5 Jul 2003 10:39:49 -1000 (HST)
On Sat, 5 Jul 2003, Scot W. Hetzel wrote:

> From: "Vincent Poy" <vince_at_oahu.WURLDLINK.NET>
> > Any ideas?
> >
> >
> According to the inetd man page:
>
>    TCP Wrappers
>      When given the -w option, inetd will wrap all services specified as
>      ``stream nowait'' or ``dgram'' except for ``internal'' services.  If
> the
>      -W option is given, such ``internal'' services will be wrapped.  If
> both
>      options are given, wrapping for both internal and external services
> will
>      be enabled.  Either wrapping option will cause failed connections to be
>      logged to the ``auth'' syslog facility.  Adding the -l flag to the
> wrap-
>      ping options will include successful connections in the logging to the
>      ``auth'' facility.
> :
>      When wrapping is enabled, the tcpd daemon is not required, as that
> func-
>      tionality is builtin. .....
>
> Also, /etc/defaults/rc.conf shows that inetd_flags has both '-w' and '-W'
> flags set.  If you are using the default flags to inetd, then you don't need
> to use tcpd to wrap your telnetd session.
>
> Did you change your inetd_flags?

	Nope, I have the -wW by default.  I never knew inetd had builtin
wrappers but in that case, then it might be better but I remembered
tcp_wrappers was implemented into the base system and I thought it was in
tcpd since that binary is part of the world build process installation.

> I just tested the bultin tcp_wrappers in inetd, and had no problem with
> adding a banner to my ftpd and telnetd daemons without using the tcpd
> daemon.  But, when I changed the service to:
>
> ftp     stream  tcp     nowait  root    /usr/libexec/tcpd       ftpd -l
>
> and then killed -HUP the inetd process,  the inetd process wanted the banner
> file to be called 'tcpd' instead of 'ftpd'.

	Actually, it's working correctly for me with the ftpd name.  This
is my /etc/inetd.conf for the ftpd line:

ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       /usr/libexec/ftpd -l

This is what the hosts.allow line looks like:

telnetd,ftpd,rshd,rlogind : 208.201.244. : rfc931 : banners /etc/banners

This is my /etc/banners listing:

root_at_bigbang [1:33pm][/usr/local/sbin] >> dir /etc/banners
total 38
drwxr-xr-x   3 root  wheel  -  512 Sep  7  2002 .
drwxr-xr-x  18 root  wheel  - 3072 Jul  5 11:59 ..
-rw-r--r--   1 root  wheel  - 2026 Dec 12  1996 Makefile
drwxr-xr-x   2 root  wheel  -  512 Sep  6  2002 deny
-rw-r--r--   1 root  wheel  -  712 Sep  6  2002 deny.telnetd
-rw-r--r--   1 root  wheel  -  219 Sep  6  2002 fingerd
-rw-r--r--   1 root  wheel  -  215 Dec 15  1996 fingerd.bak
-rw-r--r--   1 root  wheel  - 1289 Dec 13  1996 fingerd.old
-rw-r--r--   1 root  wheel  -  634 Sep  6  2002 ftpd
-rwxr-xr-x   1 root  wheel  - 8192 Dec 12  1996 nul
-rw-r--r--   1 root  wheel  -  582 Sep  6  2002 prototype
-rw-r--r--   1 root  wheel  - 1289 Dec 16  1996 prototype.old
-rw-r--r--   1 root  wheel  -    0 Sep  6  2002 rlogind
-rw-r--r--   1 root  wheel  -  582 Sep  6  2002 rshd
-rw-r--r--   1 root  wheel  -  557 Sep  7  2002 sshd
-rw-r--r--   1 root  wheel  -  582 Sep  6  2002 telnetd

	The only thing is that for IPs not defined, it would go straight
to the ftp login prompt and not deny access, I thought deny was default
for anything not defined?

> I also killed inetd, and started it with no flags.  But when I connected to
> the ftpd process, tcpd didn't display the banner (both tcpd and ftpd banner
> files were installed into the banner directory).

	Yep, same here.

> So it looks like tcpd is broken when it comes to displaying banners.

	So it wasn't my imagination. :-)  I wonder if there is actually
any differences between the tcp_wrappers in inetd and the one in tcpd or
is the inetd just the tcpd stuff all intergrated and improved.

> I suggest you use inetd's builtin TCP Wrappers support, and forget using
> tcpd.

	That's a good idea since I probably won't remember to fix tcpd if
there is a fix on each cvsup and then buildworld.

> Scot


Cheers,
Vince - vince_at_WURLDLINK.NET - Vice President             ________   __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
WurldLink Corporation                                  / / / /  | /  | __] ]
San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1_at_IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
Received on Sat Jul 05 2003 - 11:40:47 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:14 UTC