NetBSD Problem Report #20829
Received: (qmail 28534 invoked by uid 605); 21 Mar 2003 02:16:09 -0000
Message-Id: <200303210216.h2L2G1Qg003364@quill.porcupine.montreal.qc.ca>
Date: Thu, 20 Mar 2003 21:16:01 -0500 (EST)
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
Sender: gnats-bugs-owner@netbsd.org
Reply-To: Anne Bennett <anne@porcupine.montreal.qc.ca>
To: gnats-bugs@gnats.netbsd.org
Subject: identd from inetd loops due to libwrap
X-Send-Pr-Version: 3.95
>Number: 20829
>Category: bin
>Synopsis: identd from inetd loops due to libwrap
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 21 02:17:00 +0000 2003
>Closed-Date:
>Last-Modified: Sun Mar 23 23:26:00 +0000 2003
>Originator: Anne Bennett
>Release: NetBSD 1.6
>Organization:
>Environment:
System: NetBSD quill.porcupine.montreal.qc.ca 1.6 NetBSD 1.6 (QUILL-20030316) #2: Sun Mar 16 21:36:47 EST 2003 anne@quill.porcupine.montreal.qc.ca:/nobackup/netbsd/netbsd-1.6/src/sys/arch/i386/compile/QUILL i386
Architecture: i386
Machine: i386
>Description:
Enabling identd (the "auth" or port 113 service) by enabling
the commented-out line in /etc/inetd.conf results in looping
when a connection is made from the local host, because
ident is called by librap while trying to ascertain whether
the initial ident connection is permitted, causing another
ident connection, and so on. One must *never* tcp-wrap
identd for exactly that reason.
I tried placing "identd : ALL : allow" first in hosts.allow,
but that did not help; it looks as though the ident call is
made by default, even before it is determined that this
information will be needed. Since libwrap appears *not* to be
compiled with "ALWAYS_RFC931", I think that is not supposed to
happen (i.e. the ident call should be made only if
"blah@hostname" appears in the line for that service in
hosts.allow), so I don't know what's going on here. I may be
misunderstanding ALWAYS_RFC931.
>How-To-Repeat:
Simply enable the "auth" service as present (commented out) in
the default inetd.conf file, then make a connection from the
local host to a service on the local host which is controlled
by the /etc/hosts.allow file. "finger" works nicely as an
example.
>Fix:
I worked around this by starting identd as a standalone
daemon, but I don't consider this a particularly good solution.
First possibility: make sure that ident calls are not made by
libwrap unless and until it is determined by hosts.allow that
such a call is necessary; in that case, putting a correct
"ident" line early enough in hosts.allow would prevent the loop.
Alternatively, it could be made possible to specify. in
/etc/inetd.conf, exceptions to the libwrap call. However,
this seems like a more difficult fix, and not necessarily a
better one.
Another possibility would to have an option to indetd to turn
off the use of libwrap, and also, supply tcpd for those of us
who want to enable it on a case-by-case basis.
>Release-Note:
>Audit-Trail:
From: "Greg A. Woods" <woods@weird.com>
To: Anne Bennett <anne@porcupine.montreal.qc.ca>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/20829: identd from inetd loops due to libwrap
Date: Fri, 21 Mar 2003 03:31:46 -0500 (EST)
[ On Thursday, March 20, 2003 at 21:16:01 (-0500), Anne Bennett wrote: ]
> Subject: bin/20829: identd from inetd loops due to libwrap
>
Two points:
1. don't try to run identd with '-w' -- it's not likely worth it unless
you're maybe trying to run a single instance of some peer-to-peer
service like SMTP that makes many millions of outgoing connections
per day.
2. Have a look at the (final) version of inetd in PR#18955. It solves
_many_ problems related to libwrap and ident in inetd.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
To: gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: bin/20829: identd from inetd loops due to libwrap
Date: Sun, 23 Mar 2003 18:25:32 -0500
"Greg A. Woods" <woods@weird.com> suggests, as an answer to my
inetd/libwrap/identd loop PR:
> 1. don't try to run identd with '-w' -- it's not likely worth it unless
> you're maybe trying to run a single instance of some peer-to-peer
> service like SMTP that makes many millions of outgoing connections
> per day.
I wasn't.
> 2. Have a look at the (final) version of inetd in PR#18955. It solves
> _many_ problems related to libwrap and ident in inetd.
I tried it (took the base64-encoded gzipped shar archive at the end);
no go, it still loops. The service I am testing on is "finger", which
is twisted to run a little script, in case that matters. "finger
anne@localhost" sends inetd into a frenzy of:
Mar 23 17:49:30 vindemiatrix inetd[17361]: refused connection from
localhost, service [*]ident/tcp
For now, I'm continuing to run ident standalone. (Yes, I had turned
it off while testing your version of inetd.)
Anne.
--
Ms. Anne Bennett, as a private citizen: anne@porcupine.montreal.qc.ca
Also reachable more officially at work: anne@encs.concordia.ca
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.