RE: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers

27 Jul 2004

      An odd thing showed up on some of my Solaris boxes the other day, which might be pertinent.

Does the libwrap library definitely support :deny in the allow file? This is dependent on the library's compile time options, but may be checked with 
strings libwrap.so | grep twist

For :deny support to exist in the library, there must be references to twist in the library.

e.g.:

$ strings /usr/lib/libwrap.a | grep twist
twist
twist option in resident process
twist %s to %s
twist_option: dup: %m
twist_option: /bin/sh: %m
twist_option
$

If there are no twist references, :deny cant be used in /etc/hosts.allow, but it's much worse than that.
If :deny appears in the allow file on a twistless library, the library interprets /etc/hosts.allow as if you'd said :allow.

Ouch.

It all boils down to use of -DPROCESS_OPTIONS at library compile time.

Ted
...
-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu 
[mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Amaral, Angelo
Sent: Tuesday July 27 2004 13:49
To: syslog-ng@lists.balabit.hu
Subject: RE: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
Thanks, Musashino-shi.
But, I don´t make syslog-ng works with tcpwrappers.
**************************************************************
*******************************************
I show how I compile my syslog-ng:
1- Intall libnet (libnet-1.1.2.1-2.fc2.i386.rpm) in my linux 
RedHat 3.1AS.
2- Compile syslog-ng:
# ./configure  --enable-tcp-wrapper --enable-sp
oof-source
loading cache ./config.cache
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal-1.4... found
checking for working autoconf... found
checking for working automake-1.4... found
checking for working autoheader... found
checking for working makeinfo... found
checking whether build environment is sane... yes
checking for gcc... (cached) gcc
checking whether the C compiler (gcc  ) works... yes
checking whether the C compiler (gcc  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ANSI C... (cached) none needed
checking for bison... (cached) bison -y
checking how to run the C preprocessor... (cached) gcc -E
checking for flex... (cached) flex
checking for flex... (cached) flex
checking for yywrap in -lfl... (cached) yes
checking lex output file root... (cached) lex.yy
checking whether yytext is a pointer... (cached) yes
checking whether make sets ${MAKE}... (cached) yes
checking for ANSI C header files... (cached) yes
checking for malloc.h... (cached) yes
checking for unistd.h... (cached) yes
checking for door.h... (cached) no
checking for stropts.h... (cached) yes
checking for sys/strlog.h... (cached) no
checking for stdarg.h... (cached) yes
checking for sys/klog.h... (cached) yes
checking for arpa/nameser.h... (cached) yes
checking for tcpd.h... (cached) yes
checking for working const... (cached) yes
checking whether time.h and sys/time.h may both be 
included... (cached) yes
checking for modern utmp... (cached) yes
checking for global timezone variable... (cached) yes
checking size of short... (cached) 2
checking size of int... (cached) 4
checking size of long... (cached) 4
checking for I_CONSLOG... (cached) no
checking for O_LARGEFILE... (cached) yes
checking for res_init in <resolv.h>... (cached) yes
checking for working alloca.h... (cached) yes
checking for alloca... (cached) yes
checking for vprintf... (cached) yes
checking for res_init in -lresolv... (cached) no
checking for __res_init in -lresolv... (cached) yes
checking for door_create in -ldoor... (cached) no
checking for socket in -lsocket... (cached) no
checking for gethostbyname in -lnsl... (cached) yes
checking for select... (cached) yes
checking for snprintf... (cached) yes
checking for vsnprintf... (cached) yes
checking for strerror... (cached) yes
checking for inet_aton... (cached) yes
checking for strncpy... (cached) yes
checking for getutent... (cached) yes
checking for getopt_long... (cached) yes
checking for strcasecmp... (cached) yes
checking for strptime... (cached) yes
checking for TCP wrapper library... (cached) -lwrap
checking whether to enable Sun STREAMS support... no
checking whether to enable Sun door support... no
checking whether to enable TCP wrapper support... yes
checking whether to enable spoof_source support... yes
checking libol version >= 0.3.13... ok
creating ./config.status
creating Makefile
creating src/Makefile
creating src/tests/Makefile
creating doc/Makefile
creating doc/sgml/Makefile
creating contrib/Makefile
creating syslog-ng.spec
creating src/config.h
src/config.h is unchanged
3- Look ldd:
# ldd /usr/local/sbin/syslog-ng
        libnsl.so.1 => /lib/libnsl.so.1 (0xb75c7000)
        libresolv.so.2 => /lib/libresolv.so.2 (0xb75b5000)
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0xb75ac000)
        libc.so.6 => /lib/tls/libc.so.6 (0xb7475000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0xb75eb000)
**************************************************************
*******************************************
And the configuration continue not working.
May you help me, please.
Thanks.
Angelo Amaral
-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu
[mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of michihito
matsubara
Sent: sábado, 24 de julho de 2004 00:01
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
Angelo
On Thu, 22 Jul 2004 11:10:40 -0300
Subject: RE: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
"Amaral, Angelo" <angelo.amaral@hp.com> wrote:
Another senario.
Have you ever run ldd against syslog-ng itself?
This will show how syslog-ng linked against libwrap library or not.
On my Linux box,
$ ldd /sbin/syslog-ng
        libnsl.so.1 => /lib/libnsl.so.1 (0x40020000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x40034000)
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x40044000)
        libnet.so.2 => /usr/lib/libnet1/libnet.so.2 (0x4004c000)
        libc.so.6 => /lib/libc.so.6 (0x4005e000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
And, on my FreeBSD box,
% ldd /usr/local/sbin/syslog-ng
/usr/local/sbin/syslog-ng:
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x2807c000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28084000)
HTH
mitch
...
Andrew,
I put in my system, the hosts.allow below:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++
...
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
in.tftpd:       ALL     :allow
sshd:           ALL     :allow
ALL:            ALL     :deny
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++
...
And the configuration continue not working.
May you help me, please.
Thanks.
-- 
Musashino-shi, Tokyo, Japan
K12LTSP in Japanese ; http://open-mitch.dyndns.org/k12ltsp/
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
************************************************************************************************
This E-mail message, including any attachments, is intended only for the person
or entity to which it is addressed, and may contain confidential information.
If you are not the intended recipient, any review, retransmission, disclosure,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the author and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the views
and opinions of FLEXTECH Television Limited.
************************************************************************************************

Rule, Ted

tags

participants (1)