Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In need to understand this in detail as I'm writing code to analyse wrapper config vulnerabilities on various *N*Xes.
As I understand it if you want to use /etc/hosts.allow(deny) on (say) Solaris, you use tcpd as a 'wrapper' to launch services in /etc/inetd.conf. Or you could link libwrap into your binary.
On RH I can't see tcpd used anywhere, but adding ALL:ALL to hosts.deny prevents access to rlogin (launched by xinetd) and sshd (launched from the init.d scripts).
As far as I can see it works the same on RH7 and RH9. On RH9 'ldd' shows libwrap linked into xinetd and sshd so I guess that makes sense. However, on RH7 ldd doesn't show libwarp as being liked into xinetd or sshd.
So here are my questions:
- How is tcpwrappers implimented on RH7?
- Can I use tcpd to launch any network service (say from the shell prompt) or just those in inetd.conf?
- Why doesn't adding to hosts.deny 'xinetd:ALL' prevent access to everything launched by xinetd? (try it..)
doesn't hosts.deny get read before hosts.allow, so if you deny all, then can't you go to allow and allow just what you want and only those should get through? i am totally not sure. i thought that was the case. sorry if i am misleading you.
Tyler,
Thanks for trying, but you should have a look at 'man hosts.allow'....... allow is accessed first. 1st match wins.
My hosts.allow is empty. Anyway, I'm happy with the way allow/deny works (except for the xinetd:ALL entry being ignored). It's just I can't see _why_ wrappers works at all on RH7....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.