[linux-security] Re: Problem with TCP_wrappers

[Jan Kasprzak <kas informatics muni cz>]

Jan-Philip Velders wrote:
[...]
: I'm using RH5.1 with tcp_wrappers 7.6.
[...]
: The tcp_wrappers also have a special compile-time-option which gives more
: functionality with all the rules, but then you have to combine all the rules
: into _one_ file "hosts.access" (I think!), and hosts.{allow,deny} don;t
: function. But it doesn't look like it's compiled that way
: (-DPROCESS_OPTIONS)...

	I think tcp_wrappers 7.6 was built using -DPROCESS_OPTIONS.
At least the "twist" keyword works for me in hosts.{allow,deny}
(see the hosts_options(5) manpage). I don't know anything about the
hosts.access file, though.

	When we are on this topic, I am still having problems with
the "setenv" keyword in the hosts.{allow,deny}. It simply does not
work for me. I have tried to use the "setenv" keyword for qmail's incoming
mail:

tcp-env: ALL  local domain : setenv RELAYCLIENT

	The environment variable is not set for the tcp-env.
I have to change this line to the following:

tcp-env: ALL  local domain : twist /path/relayclient

where the /path/relayclient is the following script

#!/bin/bash
export RELAYCLIENT
/var/qmail/bin/tcp-env ... ...

	It works, but gives me a "twist" syslog message for each connection.
On RH4.2 the tcp_wrappers' setenv worked OK. In 5.0 and 5.1 it does not
work.

-Yenya

--
\ Jan "Yenya" Kasprzak <kas at fi.muni.cz>       http://www.fi.muni.cz/~kas/
\\ PGP: finger kas at aisa.fi.muni.cz   0D99A7FB206605D7 8B35FCDE05B18A5E //
\\\             Czech Linux Homepage:  http://www.linux.cz/              ///
If there are race conditions in programs fix them. The "my programs suck fix
something else" mentality leads you to things like Java.         -- Alan Cox