[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hosts.allow - words of wisdom?



-> > Thanks for the comments,  But would wrapping Apache do any good?  AFAIK 
-> > wrapping works only when daemon starts and Apache is sort of always on?
-> 
-> I would not suggest running a web server from inetd. If the web server
-> persists after the first connection, that is fine, but you are correct in
-> that this behavior excludes using tcpd. It does not exclude having libwrap
-> built in to the daemon and I'm not sure if apache is built with this
-> support.

damn, you both didn't read it carefully...

>> That's not necessarily true. A lot of standalone daemons are, or can be,
>> compiled with libwrap so as to have this functionality built-in.

iirc, apache can be built with libwrap support which means, uses hosts.allow
and hosts.deny to decide wqhether to run or not;

-> The libwrap code starts when there is a connection to the port and the
-> program handsoff the info to libwrap. It _then_ opens the
-> /etc/hosts.{allow,deny} files in order to check the validity of the
-> connection.
-> 
-> /usr/sbin/tcpd however, is passed the actual connection and it checks the
-> validity. If it's ok then it passes the connection off to the daemon.

nope; you MUST accept() the connection and THEN you can getpeername() and do
hosts.allow/deny searching; btw, tcpd doesn't accept(); it's inetd who does
and passes the socket to tcpd as stdin/stdout

-- 
 Matus "fantomas" Uhlar, sysadmin at Telenor Internet Kosice, Slovakia
 BIC coord for *.sk; admin of netlab.irc.sk; co-admin of irc.felk.cvut.cz
 ... and Bill Gates' dick is soft not to do any harm ...


Reply to: