Re: hosts.allow - words of wisdom?
-> > Thanks for the comments, But would wrapping Apache do any good? AFAIK
-> > wrapping works only when daemon starts and Apache is sort of always on?
->
-> I would not suggest running a web server from inetd. If the web server
-> persists after the first connection, that is fine, but you are correct in
-> that this behavior excludes using tcpd. It does not exclude having libwrap
-> built in to the daemon and I'm not sure if apache is built with this
-> support.
damn, you both didn't read it carefully...
>> That's not necessarily true. A lot of standalone daemons are, or can be,
>> compiled with libwrap so as to have this functionality built-in.
iirc, apache can be built with libwrap support which means, uses hosts.allow
and hosts.deny to decide wqhether to run or not;
-> The libwrap code starts when there is a connection to the port and the
-> program handsoff the info to libwrap. It _then_ opens the
-> /etc/hosts.{allow,deny} files in order to check the validity of the
-> connection.
->
-> /usr/sbin/tcpd however, is passed the actual connection and it checks the
-> validity. If it's ok then it passes the connection off to the daemon.
nope; you MUST accept() the connection and THEN you can getpeername() and do
hosts.allow/deny searching; btw, tcpd doesn't accept(); it's inetd who does
and passes the socket to tcpd as stdin/stdout
--
Matus "fantomas" Uhlar, sysadmin at Telenor Internet Kosice, Slovakia
BIC coord for *.sk; admin of netlab.irc.sk; co-admin of irc.felk.cvut.cz
... and Bill Gates' dick is soft not to do any harm ...
Reply to: