From seth@freebie.dp.ny.frb.org Mon Jul 26 10:59:55 1999
Return-Path: <seth@freebie.dp.ny.frb.org>
Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32])
	by hub.freebsd.org (Postfix) with ESMTP id 2BD8A14E55
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 26 Jul 1999 10:59:54 -0700 (PDT)
	(envelope-from seth@freebie.dp.ny.frb.org)
Received: by fed-ef1.frb.gov; id NAA14894; Mon, 26 Jul 1999 13:58:36 -0400 (EDT)
Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2)
	id xma014276; Mon, 26 Jul 99 13:57:50 -0400
Message-Id: <199907261757.NAA01874@freebie.dp.ny.frb.org>
Date: Mon, 26 Jul 1999 13:57:44 -0400 (EDT)
From: Seth <seth@freebie.dp.ny.frb.org>
Reply-To: seth@freebie.dp.ny.frb.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: tcpd hosts.[allow|deny] location inconsistent
X-Send-Pr-Version: 3.2

>Number:         12819
>Category:       bin
>Synopsis:       tcpd hosts.[allow|deny] location inconsistent
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    billf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 26 11:00:01 PDT 1999
>Closed-Date:    Fri Nov 12 20:41:58 PST 1999
>Last-Modified:  Fri Nov 12 20:42:52 PST 1999
>Originator:     Seth
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
>Environment:


>Description:
 >e 537: what tcpd
 tcpd:
          tcpd.c 1.10 96/02/11 17:01:32
          patchlevel 7.6 97/03/21 19:27:23
 
 /usr/sbin/tcpdmatch:
          tcpdmatch.c 1.5 96/02/11 17:01:36
          fakelog.c 1.3 94/12/28 17:42:21
          inetcf.c 1.7 97/02/12 02:13:23
          scaffold.c 1.6 97/03/21 19:27:24
 
 
 Description: 
 
 tcpd uses access control files in /usr/local/etc.  tcpdmatch (and tcpdchk)
 checks against files in /etc.
 
 
>How-To-Repeat:

create hosts.[allow|deny] in /etc.  run tcpdmatch against them, and watch
the rules be processed/listed correctly.  Then try exercising the rules via
tcpd.  No rules will be processed.

>Fix:
	
  Quick workaround is to symlink /usr/local/etc/hosts.[allow|deny] to /etc.
  Long-term fix would require changes to tcpd or tcpdmatch/tcpdchk.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Jul 27 02:56:50 PDT 1999 
State-Changed-Why:  
The tcpd program is not distributed with FreeBSD as part of the base 
system, since its functionality is built into inetd. It's part of 
the tcp_wrappers port, which you don't need on 3.2-STABLE. Update 
to a recent 3.2-STABLE and check the inetd(8) manpage. 

As an aside, please try to provide realistic Severity fields for your 
PR's. :-) 

Thanks, 
Sheldon. 
State-Changed-From-To: closed->open 
State-Changed-By: des 
State-Changed-When: Thu Jul 29 10:44:39 PDT 1999 
State-Changed-Why:  
Not so fast. This is a serious problem for anyone running 3.2-RELEASE, 
especially someone upgrading to 3.2-RELEASE after running e.g. 
3.1-RELEASE with the tcpwrappers port, since the system tcpd utilities 
will take precedence over the port (due to /usr/bin being before 
/usr/local/bin in PATH), and they read their configuration files from 
/etc instead of /usr/local/etc. 

At the very least, this PR warrants an addition to the errata list. 
Responsible-Changed-From-To: freebsd-bugs->billf 
Responsible-Changed-By: billf 
Responsible-Changed-When: Mon Aug 2 19:40:07 PDT 1999 
Responsible-Changed-Why:  
The submitter is writing a patch for the errata which I will commit. 

From: Zippy <seth@interport.net>
To: freebsd-gnats-submit@freebsd.org, seth@freebie.dp.ny.frb.org
Cc:  
Subject: Re: bin/12819: tcpd hosts.[allow|deny] location inconsistent
Date: Mon, 2 Aug 1999 23:21:49 -0400 (EDT)

 I took the liberty of updating ERRATA.TXT.  Here's the diff:
 
 [command: diff -c ERRATA.TXT ERRATA.NEW]
 
 *** ERRATA.TXT	Mon Aug  2 23:15:51 1999
 --- ERRATA.NEW	Mon Aug  2 23:14:46 1999
 ***************
 *** 24,30 ****
   
   ---- Security Advisories:
   
 ! Current active security advisories for 3.2:	None
   
   ---- System Update Information:
   
 --- 24,49 ----
   
   ---- Security Advisories:
   
 ! Current active security advisories for 3.2:
   
 + 	NOTE to users upgrading from an older version:
 + 
 + 	If you are currently running tcpd from /usr/local/libexec, please
 + 	note that the addition of the userland tcpd utilities tcpdmatch
 + 	and tcpdchk into /sbin may result in false rule checking.  These
 + 	utilities are necessary to support the wrapping-capable inetd.
 + 	The new inetd with wrapping expects hosts.allow and hosts.deny to
 + 	reside in /etc, NOT /usr/local/etc (which is where tcpd wants
 + 	them).  
 + 
 + 	If you wish to continue to use /usr/local/libexec/tcpd, please
 + 	ensure that you're using the userland tcpd utilities in
 + 	/usr/local/sbin.  If you wish to use the wrapping functionality
 + 	available via inetd -w, please ensure that your hosts.allow and
 + 	hosts.deny files are available in /etc.
 + 
 + 
   ---- System Update Information:
 + 
 + 
   
 
 
 Seth Bromberger                                  seth@interport.net
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Fri Nov 12 20:41:58 PST 1999 
State-Changed-Why:  
ERRATA was updated, PR was never closed. 
>Unformatted:
