hosts_access(3) - correct usage?

Dan Langille dan at langille.org
Wed Oct 29 16:53:05 PST 2003 

On 29 Oct 2003 at 18:26, Dan Langille wrote:

> On 29 Oct 2003 at 17:10, Guido van Rooij wrote:
> 
> > On Wed, Oct 29, 2003 at 09:38:50AM -0500, Dan Langille wrote:
> > > Is this the right way to use hosts_access?  The code blows up during 
> > > the hosts_access call.  I'm told it runs OK on Linux/Solaris.  I'm 
> > > wonderding if there's something different it needs to do be doing on 
> > > FreeBSD.
> > > 
> > > Thanks
> > > 
> > > #ifdef HAVE_LIBWRAP
> > >       P(mutex);               /* hosts_access is not thread safe */
> > >       request_init(&request, RQ_DAEMON, my_name, RQ_FILE, newsockfd, 
> > > 0);
> > >       fromhost(&request);
> > >       if (!hosts_access(&request)) {
> > >      V(mutex);
> > >          Jmsg2(NULL, M_WARNING, 0, _("Connection from %s:%d refused 
> > > by hosts.access"),
> > >            inet_ntoa(cli_addr.sin_addr), ntohs(cli_addr.sin_port));
> > >      close(newsockfd);
> > >      continue;
> > >       }
> > >       V(mutex);
> > > #endif
> > 
> > 
> > This seems okay to me.
> > OpenSSH uses:
> >                 struct request_info req;
> >  
> >                 request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
> >                 fromhost(&req);
> >  
> >                 if (!hosts_access(&req)) {
> >                         debug("Connection refused by tcp wrapper");
> >                         refuse(&req);
> >                         /* NOTREACHED */
> >                         fatal("libwrap refuse returns");
> >                 }
> > 
> > I take it that newsockfd is the one returned from accept()?
> > I'd try using a debug version of libwrap...
> 
> I was speaking with dwhite on IRC about this.  The application 
> (sysutils/bacula) has a hacked version of tcpd.h for use with C++.  
> This didn't have the #ifdef INET6 statements.  So I patched that up.  
> But no difference in the results.
> 
> If hosts.allow is going to deny access, the crash occurs:
> http://beta.freebsddiary.org/tmp/bacula-fd-gbd.success.html
> 
> If access is denied, this occurs:
> http://beta.freebsddiary.org/tmp/bacula-fd-gbd.fails.html
> 
> I haven't looked into libwrap yet, but in case someone sees something 
> obvious, I've posted the above.

Well, we've tracked it down to one set of allow statements.  The 
server is at 192.168.0.56 (undef.unixathome.org).  The daemon name is 
bast-fd.  If we supply any one of these in /etc/hosts.allow, the 
crash does not occur.

bast-fd : 192.168.0.0/255.255.255.0 : allow
bast-fd : 192.168.0.0/255.255.255.0 : deny
bast-fd : undef.unixathome.org : allow
bast-fd : undef.unixathome.org : deny
bast-fd : 192.168.0.56 : allow

With this, the crash occurs:
bast-fd : undef.blah.blah : allow

This is how to make it crash:

$ telnet bast 9102
Trying 192.168.0.21...
Connected to bast.unixathome.org.
Escape character is '^]'.
You are not welcome to use bast-fd from undef.unixathome.org.
Connection closed by foreign host.

Also, if the first call the hosts_access succeeds, then all subequent 
calls will suceed.  I actually have to restart the daemon, and then 
have a deny condition in hosts.allow in order for the hosts_access 
call to bomb.

Any ideas?
-- 
Dan Langille : http://www.langille.org/

More information about the freebsd-hackers mailing list