>Number: 155985 >Category: bin >Synopsis: tcpd does not perform a access-control >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Mar 28 06:40:12 UTC 2011 >Closed-Date: >Last-Modified: >Originator: HIROSHI OOTA >Release: 9-current >Organization: >Environment: FreeBSD XXX 9.0-CURRENT FreeBSD 9.0-CURRENT #133 r219891M: Wed Mar 23 08:56:43 JST 2011 root@ amd64 >Description: tcpd does not perform a access-control. access-control table (/etc/hosts.allow) is always ignored.
I wrote ALL : ALL : deny at the head of/etc/hosts.allow. Tcpd ignores this description and permits a connecting. >How-To-Repeat: /etc/hosts.allow ALL : ALL : deny /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/tcdp /usr/libexec/ftpd -l # /etc/rc.d/inetd reload # ftp localhost >Fix: To enable access-control facility, tcpd should be compiled with -DHOSTS_ACCESS flag. Add -DHOSTS_ACCESS to /usr/src/libexec/tcpd/Makefile. The code fragment of this problem is the following. /usr/src/contrib/tcp_wrappers/tcpd.c: 112 /* 113 * Check whether this host can access the service in argv[0]. The 114 * access-control code invokes optional shell commands as specified in 115 * the access-control tables. 116 */ 117 118 #ifdef HOSTS_ACCESS 119 if (!hosts_access(&request)) 120 refuse(&request); 121 #endif >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
