Re: Permissions Required On hosts.allow ?

To: debian-security@lists.debian.org
Subject: Re: Permissions Required On hosts.allow ?
From: "Joe Moore" <joemoore@iegrec.org>
Date: Thu, 29 Aug 2002 08:37:15 -0600 (MDT)
Message-id: <[🔎] 8039.146.122.45.164.1030631835.squirrel@www.iegrec.org>
In-reply-to: <[🔎] 20020829040353.GM7571@audible.transient.net>
References: <[🔎] 20020829040353.GM7571@audible.transient.net>

Jamie Heilman wrote:
>> Can I change this around a bit to achieve my goal - maybe make a new
>> group called "foo" (say) and give that gid to in.telnetd and
>> hosts.allow ... ?
> 
> Obscuring your libwrap/tcpd configuration from your local users, at the
> expense of allowing services to run as seperate, non-privileged users
> is a bad idea.  Privilege seperation provides a very tangible benefit,
> obfuscated config files do not.

Another option would be to create a group, for example called "tcpwrap".
Add
tcpwrap:x:150:telnetd, sshd, irc, identd
(This list is based on the users in /etc/passwd which appear to be for
services that would benefit from tcpwrap.  Adjust as appropriate.)

Set /etc/hosts.allow to mod 0640 and ownership root:tcpwrap

When tcpd is running as UID telnetd, it will also have group equivalence to
GID tcpwrap, so it will be able to read /etc/hosts.allow

--Joe

Reply to:

Follow-Ups:
- Re: Permissions Required On hosts.allow ?
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

References:
- Re: Permissions Required On hosts.allow ?
  - From: Jamie Heilman <jamie@audible.transient.net>

Prev by Date: Re: Mail relay attempts
Next by Date: Re: Mail relay attempts
Previous by thread: Re: Permissions Required On hosts.allow ?
Next by thread: Re: Permissions Required On hosts.allow ?
Index(es):
- Date
- Thread