Re: hosts_access(3) - correct usage?

From: Dan Langille (dan_at_langille.org)
Date: 10/30/03

  • Next message: Robert Watson: "Experimental FreeBSD and Linux kernel source cross reference web site" 
    To: FreeBSD-hackers@freebsd.org
Date: Wed, 29 Oct 2003 19:53:01 -0500

    On 29 Oct 2003 at 18:26, Dan Langille wrote:

    > On 29 Oct 2003 at 17:10, Guido van Rooij wrote:
    >
    > > On Wed, Oct 29, 2003 at 09:38:50AM -0500, Dan Langille wrote:
    > > > Is this the right way to use hosts_access? The code blows up during
    > > > the hosts_access call. I'm told it runs OK on Linux/Solaris. I'm
    > > > wonderding if there's something different it needs to do be doing on
    > > > FreeBSD.
    > > >
    > > > Thanks
    > > >
    > > > #ifdef HAVE_LIBWRAP
    > > > P(mutex); /* hosts_access is not thread safe */
    > > > request_init(&request, RQ_DAEMON, my_name, RQ_FILE, newsockfd,
    > > > 0);
    > > > fromhost(&request);
    > > > if (!hosts_access(&request)) {
    > > > V(mutex);
    > > > Jmsg2(NULL, M_WARNING, 0, _("Connection from %s:%d refused
    > > > by hosts.access"),
    > > > inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
    > > > close(newsockfd);
    > > > continue;
    > > > }
    > > > V(mutex);
    > > > #endif
    > >
    > >
    > > This seems okay to me.
    > > OpenSSH uses:
    > > struct request_info req;
    > >
    > > request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
    > > fromhost(&req);
    > >
    > > if (!hosts_access(&req)) {
    > > debug("Connection refused by tcp wrapper");
    > > refuse(&req);
    > > /* NOTREACHED */
    > > fatal("libwrap refuse returns");
    > > }
    > >
    > > I take it that newsockfd is the one returned from accept()?
    > > I'd try using a debug version of libwrap...
    >
    > I was speaking with dwhite on IRC about this. The application
    > (sysutils/bacula) has a hacked version of tcpd.h for use with C++.
    > This didn't have the #ifdef INET6 statements. So I patched that up.
    > But no difference in the results.
    >
    > If hosts.allow is going to deny access, the crash occurs:
    > http://beta.freebsddiary.org/tmp/bacula-fd-gbd.success.html
    >
    > If access is denied, this occurs:
    > http://beta.freebsddiary.org/tmp/bacula-fd-gbd.fails.html
    >
    > I haven't looked into libwrap yet, but in case someone sees something
    > obvious, I've posted the above.

    Well, we've tracked it down to one set of allow statements. The
    server is at 192.168.0.56 (undef.unixathome.org). The daemon name is
    bast-fd. If we supply any one of these in /etc/hosts.allow, the
    crash does not occur.

    bast-fd : 192.168.0.0/255.255.255.0 : allow
    bast-fd : 192.168.0.0/255.255.255.0 : deny
    bast-fd : undef.unixathome.org : allow
    bast-fd : undef.unixathome.org : deny
    bast-fd : 192.168.0.56 : allow

    With this, the crash occurs:
    bast-fd : undef.blah.blah : allow

    This is how to make it crash:

    $ telnet bast 9102
    Trying 192.168.0.21...
    Connected to bast.unixathome.org.
    Escape character is '^]'.
    You are not welcome to use bast-fd from undef.unixathome.org.
    Connection closed by foreign host.

    Also, if the first call the hosts_access succeeds, then all subequent
    calls will suceed. I actually have to restart the daemon, and then
    have a deny condition in hosts.allow in order for the hosts_access
    call to bomb.

    Any ideas? 

    -- 
Dan Langille : http://www.langille.org/
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
  • Next message: Robert Watson: "Experimental FreeBSD and Linux kernel source cross reference web site"