Hi,

In need to understand this in detail as I'm writing code to analyse wrapper config vulnerabilities on various *N*Xes.

As I understand it if you want to use /etc/hosts.allow(deny) on (say) Solaris, you use tcpd as a 'wrapper' to launch services in /etc/inetd.conf. Or you could link libwrap into your binary.

On RH I can't see tcpd used anywhere, but adding ALL:ALL to hosts.deny prevents access to rlogin (launched by xinetd) and sshd (launched from the init.d scripts).

As far as I can see it works the same on RH7 and RH9. On RH9 'ldd' shows libwrap linked into xinetd and sshd so I guess that makes sense. However, on RH7 ldd doesn't show libwarp as being liked into xinetd or sshd.

So here are my questions:
- How is tcpwrappers implimented on RH7?
- Can I use tcpd to launch any network service (say from the shell prompt) or just those in inetd.conf?
- Why doesn't adding to hosts.deny 'xinetd:ALL' prevent access to everything launched by xinetd? (try it..)

Thanks

Chris

doesn't hosts.deny get read before hosts.allow, so if you deny all, then can't you go to allow and allow just what you want and only those should get through? i am totally not sure. i thought that was the case. sorry if i am misleading you.

Tyler,
Thanks for trying, but you should have a look at 'man hosts.allow'....... allow is accessed first. 1st match wins.

My hosts.allow is empty. Anyway, I'm happy with the way allow/deny works (except for the xinetd:ALL entry being ignored). It's just I can't see _why_ wrappers works at all on RH7....

sorry about that. not in front of a linux box now. away from home. i apologize.