[syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
Rule, Ted
syslog-ng@lists.balabit.hu
Tue, 27 Jul 2004 13:59:30 +0100
An odd thing showed up on some of my Solaris boxes the other day, which mig=
ht be pertinent.
Does the libwrap library definitely support :deny in the allow file? This i=
s dependent on the library's compile time options, but may be checked with=
=20
strings libwrap.so | grep twist
For :deny support to exist in the library, there must be references to twis=
t in the library.
e.g.:
$ strings /usr/lib/libwrap.a | grep twist
twist
twist option in resident process
twist %s to %s
twist_option: dup: %m
twist_option: /bin/sh: %m
twist_option
$
If there are no twist references, :deny cant be used in /etc/hosts.allow, b=
ut it's much worse than that.
If :deny appears in the allow file on a twistless library, the library inte=
rprets /etc/hosts.allow as if you'd said :allow.
Ouch.
It all boils down to use of -DPROCESS_OPTIONS at library compile time.
Ted
> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu=20
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Amaral, Angelo
> Sent: Tuesday July 27 2004 13:49
> To: syslog-ng@lists.balabit.hu
> Subject: RE: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
>=20
> Thanks, Musashino-shi.
>=20
> But, I don=B4t make syslog-ng works with tcpwrappers.
>=20
>=20
> **************************************************************
> *******************************************
> I show how I compile my syslog-ng:
>=20
> 1- Intall libnet (libnet-1.1.2.1-2.fc2.i386.rpm) in my linux=20
> RedHat 3.1AS.
>=20
> 2- Compile syslog-ng:
> # ./configure --enable-tcp-wrapper --enable-sp
> oof-source
> loading cache ./config.cache
> checking for a BSD compatible install... (cached) /usr/bin/install -c
> checking whether build environment is sane... yes
> checking whether make sets ${MAKE}... (cached) yes
> checking for working aclocal-1.4... found
> checking for working autoconf... found
> checking for working automake-1.4... found
> checking for working autoheader... found
> checking for working makeinfo... found
> checking whether build environment is sane... yes
> checking for gcc... (cached) gcc
> checking whether the C compiler (gcc ) works... yes
> checking whether the C compiler (gcc ) is a cross-compiler... no
> checking whether we are using GNU C... (cached) yes
> checking whether gcc accepts -g... (cached) yes
> checking for gcc option to accept ANSI C... (cached) none needed
> checking for bison... (cached) bison -y
> checking how to run the C preprocessor... (cached) gcc -E
> checking for flex... (cached) flex
> checking for flex... (cached) flex
> checking for yywrap in -lfl... (cached) yes
> checking lex output file root... (cached) lex.yy
> checking whether yytext is a pointer... (cached) yes
> checking whether make sets ${MAKE}... (cached) yes
> checking for ANSI C header files... (cached) yes
> checking for malloc.h... (cached) yes
> checking for unistd.h... (cached) yes
> checking for door.h... (cached) no
> checking for stropts.h... (cached) yes
> checking for sys/strlog.h... (cached) no
> checking for stdarg.h... (cached) yes
> checking for sys/klog.h... (cached) yes
> checking for arpa/nameser.h... (cached) yes
> checking for tcpd.h... (cached) yes
> checking for working const... (cached) yes
> checking whether time.h and sys/time.h may both be=20
> included... (cached) yes
> checking for modern utmp... (cached) yes
> checking for global timezone variable... (cached) yes
> checking size of short... (cached) 2
> checking size of int... (cached) 4
> checking size of long... (cached) 4
> checking for I_CONSLOG... (cached) no
> checking for O_LARGEFILE... (cached) yes
> checking for res_init in <resolv.h>... (cached) yes
> checking for working alloca.h... (cached) yes
> checking for alloca... (cached) yes
> checking for vprintf... (cached) yes
> checking for res_init in -lresolv... (cached) no
> checking for __res_init in -lresolv... (cached) yes
> checking for door_create in -ldoor... (cached) no
> checking for socket in -lsocket... (cached) no
> checking for gethostbyname in -lnsl... (cached) yes
> checking for select... (cached) yes
> checking for snprintf... (cached) yes
> checking for vsnprintf... (cached) yes
> checking for strerror... (cached) yes
> checking for inet_aton... (cached) yes
> checking for strncpy... (cached) yes
> checking for getutent... (cached) yes
> checking for getopt_long... (cached) yes
> checking for strcasecmp... (cached) yes
> checking for strptime... (cached) yes
> checking for TCP wrapper library... (cached) -lwrap
> checking whether to enable Sun STREAMS support... no
> checking whether to enable Sun door support... no
> checking whether to enable TCP wrapper support... yes
> checking whether to enable spoof_source support... yes
> checking libol version >=3D 0.3.13... ok
> creating ./config.status
> creating Makefile
> creating src/Makefile
> creating src/tests/Makefile
> creating doc/Makefile
> creating doc/sgml/Makefile
> creating contrib/Makefile
> creating syslog-ng.spec
> creating src/config.h
> src/config.h is unchanged
>=20
> 3- Look ldd:
> # ldd /usr/local/sbin/syslog-ng
> libnsl.so.1 =3D> /lib/libnsl.so.1 (0xb75c7000)
> libresolv.so.2 =3D> /lib/libresolv.so.2 (0xb75b5000)
> libwrap.so.0 =3D> /usr/lib/libwrap.so.0 (0xb75ac000)
> libc.so.6 =3D> /lib/tls/libc.so.6 (0xb7475000)
> /lib/ld-linux.so.2 =3D> /lib/ld-linux.so.2 (0xb75eb000)
>=20
> **************************************************************
> *******************************************
>=20
> And the configuration continue not working.
> May you help me, please.
>=20
> Thanks.
>=20
> Angelo Amaral
>=20
>=20
> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu
> [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of michihito
> matsubara
> Sent: s=E1bado, 24 de julho de 2004 00:01
> To: syslog-ng@lists.balabit.hu
> Subject: Re: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
>=20
>=20
> Angelo
>=20
> On Thu, 22 Jul 2004 11:10:40 -0300
> Subject: RE: [syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
> "Amaral, Angelo" <angelo.amaral@hp.com> wrote:
>=20
> Another senario.
> Have you ever run ldd against syslog-ng itself?
> This will show how syslog-ng linked against libwrap library or not.
>=20
> On my Linux box,
>=20
> $ ldd /sbin/syslog-ng
> libnsl.so.1 =3D> /lib/libnsl.so.1 (0x40020000)
> libresolv.so.2 =3D> /lib/libresolv.so.2 (0x40034000)
> libwrap.so.0 =3D> /usr/lib/libwrap.so.0 (0x40044000)
> libnet.so.2 =3D> /usr/lib/libnet1/libnet.so.2 (0x4004c000)
> libc.so.6 =3D> /lib/libc.so.6 (0x4005e000)
> /lib/ld-linux.so.2 =3D> /lib/ld-linux.so.2 (0x40000000)
>=20
> And, on my FreeBSD box,
>=20
> % ldd /usr/local/sbin/syslog-ng
> /usr/local/sbin/syslog-ng:
> libwrap.so.3 =3D> /usr/lib/libwrap.so.3 (0x2807c000)
> libc.so.4 =3D> /usr/lib/libc.so.4 (0x28084000)
>=20
>=20
> HTH
> mitch
>=20
>=20
> > Andrew,
> >=20
> > I put in my system, the hosts.allow below:
> >=20
> >=20
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++
> >=20
> > # hosts.allow This file describes the names of the hosts which are
> > # allowed to use the local INET services, as decided
> > # by the '/usr/sbin/tcpd' server.
> > #
> >=20
> > in.tftpd: ALL :allow
> > sshd: ALL :allow
> > ALL: ALL :deny
> >=20
> >=20
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++
> >=20
> > And the configuration continue not working.
> > May you help me, please.
> >=20
> > Thanks.
>=20
> --=20
> Musashino-shi, Tokyo, Japan
> K12LTSP in Japanese ; http://open-mitch.dyndns.org/k12ltsp/
>=20
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>=20
>=20
>=20
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************