NetBSD Problem Report #20829

Received: (qmail 28534 invoked by uid 605); 21 Mar 2003 02:16:09 -0000
Message-Id: <200303210216.h2L2G1Qg003364@quill.porcupine.montreal.qc.ca>
Date: Thu, 20 Mar 2003 21:16:01 -0500 (EST)
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
Sender: gnats-bugs-owner@netbsd.org
Reply-To: Anne Bennett <anne@porcupine.montreal.qc.ca>
To: gnats-bugs@gnats.netbsd.org
Subject: identd from inetd loops due to libwrap
X-Send-Pr-Version: 3.95

>Number:         20829
>Category:       bin
>Synopsis:       identd from inetd loops due to libwrap
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 21 02:17:00 +0000 2003
>Closed-Date:    
>Last-Modified:  Sun Mar 23 23:26:00 +0000 2003
>Originator:     Anne Bennett
>Release:        NetBSD 1.6
>Organization:

>Environment:


System: NetBSD quill.porcupine.montreal.qc.ca 1.6 NetBSD 1.6 (QUILL-20030316) #2: Sun Mar 16 21:36:47 EST 2003 anne@quill.porcupine.montreal.qc.ca:/nobackup/netbsd/netbsd-1.6/src/sys/arch/i386/compile/QUILL i386
Architecture: i386
Machine: i386
>Description:
	Enabling identd (the "auth" or port 113 service) by enabling
	the commented-out line in /etc/inetd.conf results in looping
	when a connection is made from the local host, because
	ident is called by librap while trying to ascertain whether
	the initial ident connection is permitted, causing another
	ident connection, and so on.  One must *never* tcp-wrap
	identd for exactly that reason.

        I tried placing "identd : ALL : allow" first in hosts.allow,
        but that did not help; it looks as though the ident call is
        made by default, even before it is determined that this
        information will be needed.  Since libwrap appears *not* to be
        compiled with "ALWAYS_RFC931", I think that is not supposed to
        happen (i.e. the ident call should be made only if
        "blah@hostname" appears in the line for that service in
        hosts.allow), so I don't know what's going on here.  I may be
        misunderstanding ALWAYS_RFC931.

>How-To-Repeat:
	Simply enable the "auth" service as present (commented out) in
        the default inetd.conf file, then make a connection from the
        local host to a service on the local host which is controlled
        by the /etc/hosts.allow file.  "finger" works nicely as an
        example.

>Fix:
	I worked around this by starting identd as a standalone
        daemon, but I don't consider this a particularly good solution.

        First possibility: make sure that ident calls are not made by
        libwrap unless and until it is determined by hosts.allow that
        such a call is necessary; in that case, putting a correct
        "ident" line early enough in hosts.allow would prevent the loop.

        Alternatively, it could be made possible to specify. in
        /etc/inetd.conf, exceptions to the libwrap call.  However,
        this seems like a more difficult fix, and not necessarily a
        better one.

        Another possibility would to have an option to indetd to turn
        off the use of libwrap, and also, supply tcpd for those of us
        who want to enable it on a case-by-case basis.

>Release-Note:
>Audit-Trail:

From: "Greg A. Woods" <woods@weird.com>
To: Anne Bennett <anne@porcupine.montreal.qc.ca>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/20829: identd from inetd loops due to libwrap
Date: Fri, 21 Mar 2003 03:31:46 -0500 (EST)

 [ On Thursday, March 20, 2003 at 21:16:01 (-0500), Anne Bennett wrote: ]
 > Subject: bin/20829: identd from inetd loops due to libwrap
 >

 Two points:

 1. don't try to run identd with '-w' -- it's not likely worth it unless
    you're maybe trying to run a single instance of some peer-to-peer
    service like SMTP that makes many millions of outgoing connections
    per day.

 2. Have a look at the (final) version of inetd in PR#18955.  It solves
    _many_ problems related to libwrap and ident in inetd.

 -- 
 								Greg A. Woods

 +1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
 Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>

From: Anne Bennett <anne@porcupine.montreal.qc.ca>
To: gnats-bugs@gnats.netbsd.org
Cc:  
Subject: Re: bin/20829: identd from inetd loops due to libwrap 
Date: Sun, 23 Mar 2003 18:25:32 -0500

 "Greg A. Woods" <woods@weird.com> suggests, as an answer to my
 inetd/libwrap/identd loop PR:

 > 1. don't try to run identd with '-w' -- it's not likely worth it unless
 >    you're maybe trying to run a single instance of some peer-to-peer
 >    service like SMTP that makes many millions of outgoing connections
 >    per day.

 I wasn't.

 > 2. Have a look at the (final) version of inetd in PR#18955.  It solves
 >    _many_ problems related to libwrap and ident in inetd.

 I tried it (took the base64-encoded gzipped shar archive at the end);
 no go, it still loops.  The service I am testing on is "finger", which
 is twisted to run a little script, in case that matters.  "finger
 anne@localhost" sends inetd into a frenzy of:

   Mar 23 17:49:30 vindemiatrix inetd[17361]: refused connection from
     localhost, service [*]ident/tcp


 For now, I'm continuing to run ident standalone.  (Yes, I had turned
 it off while testing your version of inetd.)


 Anne.
 -- 
 Ms. Anne Bennett, as a private citizen:  anne@porcupine.montreal.qc.ca
 Also reachable more officially at work:  anne@encs.concordia.ca
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.