Re: Permissions Required On hosts.allow ?

To: debian-security@lists.debian.org
Subject: Re: Permissions Required On hosts.allow ?
From: "Joe Moore" <joemoore@iegrec.org>
Date: Fri, 30 Aug 2002 08:53:09 -0600 (MDT)
Message-id: <[🔎] 27391.146.122.45.164.1030719189.squirrel@www.iegrec.org>
In-reply-to: <[🔎] umgtmu08302hvnj34uqjlh4bst44dohu8f@4ax.com>
References: <[🔎] umgtmu08302hvnj34uqjlh4bst44dohu8f@4ax.com>

Nick Boyce wrote:
> On Thu, 29 Aug 2002 08:37:15 -0600 (MDT), Joe Moore wrote:
>>Another option would be to create a group, for example called
>>"tcpwrap". Add
>>tcpwrap:x:150:telnetd, sshd, irc, identd
>>(This list is based on the users in /etc/passwd which appear to be for
>>services that would benefit from tcpwrap.  Adjust as appropriate.)
>>
>>Set /etc/hosts.allow to mod 0640 and ownership root:tcpwrap
>>
>>When tcpd is running as UID telnetd, it will also have group
>>equivalence to GID tcpwrap, so it will be able to read /etc/hosts.allow
> 
> Yep - that's just the sort of thing I had in mind - I can't see a
> problem with it if all the new GID does is grant read access to the tcp
> wrappers config files.  [ I just realised one more ingredient
> required is to make the relevant service daemons sgid tcpwrap as well
> as members of it. ]

Actually, your realization is wrong.  The definitions in /etc/group add a
supplementary GID to the UID telnetd.  There is no change needed in the
application or sgid bits.  The OS handles the initgroups() call.

If you add the /etc/group line above, and then run "id telnetd", tcpwrap
will be listed as part of the supplementary groups.  No changes needed.
in.telnetd will run as UID telnetd, primary GID telnetd, but will be able to
access files that are root:tcpwrap mod 0640.

For further verification:
cvglx10:/home/jmoore# grep tcpwrap /etc/group
tcpwrap:x:150:telnetd
cvglx10:/home/jmoore# id telnetd
uid=103(telnetd) gid=103(telnetd) groups=103(telnetd),43(utmp),150(tcpwrap)
cvglx10:/home/jmoore# date > /tmp/check
cvglx10:/home/jmoore# chmod 0640 /tmp/check
cvglx10:/home/jmoore# chown root:tcpwrap /tmp/check
cvglx10:/home/jmoore# ls -l /tmp/check
-rw-r-----    1 root     tcpwrap        29 Aug 30 09:48 /tmp/check
cvglx10:/home/jmoore# su -s /bin/bash telnetd
cvglx10:/home/jmoore$ id
uid=103(telnetd) gid=103(telnetd) groups=103(telnetd),43(utmp),150(tcpwrap)
cvglx10:/home/jmoore$ cat /tmp/check
Fri Aug 30 09:48:43 EDT 2002
cvglx10:/home/jmoore$ exit

---------------------------------------------------------------------

As to your later message:
setgroups() and initgroups() are not necessary.  Already UID telnetd is able
to write to /var/run/utmp because of its membership in GID utmp.

For all the packages that depend on libwrap0:
  If they run as UID 0, they will be able to read /etc/hosts.allow.
  If they run as another specific UID, they can read /etc/hosts.allow IFF
that UID is added to the /etc/group line for tcpwrap.
  If they run as a user not listed for tcpwrap (such as an interactive
user), they will not be able to read /etc/hosts.allow.  This may be a very
good thing:

If /etc/hosts.allow is unreadable, and /etc/hosts.deny has ALL:ALL, tcpwrap
will prevent all connections.  This is desirable if you want a more secure
system.  This means that if you have not added telnetd to the tcpwrap group,
in.telnetd will not accept connections from anywhere, even if it's
accidentally (or intentionally) started (by a malicious? user)

--Joe

Reply to:

Follow-Ups:
- Re: Permissions Required On hosts.allow ?
  - From: Jamie Heilman <jamie@audible.transient.net>

References:
- Re: Permissions Required On hosts.allow ?
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

Prev by Date: Re: Converting Users from Solaris to (Debian-)Linux
Next by Date: Re: Converting Users from Solaris to (Debian-)Linux
Previous by thread: Re: Permissions Required On hosts.allow ?
Next by thread: Re: Permissions Required On hosts.allow ?
Index(es):
- Date
- Thread