Re: [Bastille-linux-discuss] xinetd & libwrap: more issues
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
Menu
▾
▴
Re: [Bastille-linux-discuss] xinetd & libwrap: more issues
|
From: Jay B. <ja...@ba...> - 2001-05-20 23:18:15
|
In the wise words of Peter W: > On Fri, May 18, 2001 at 11:54:24AM -0700, Brian Sweeney wrote: > > As a side not to this, I've noticed that xinetd doesn't seem to like the > > #Bastille comment added to the xinetd config files on the lines that set > > NOLIBWRAP. Whenever it starts, it errors with > > > > xinetd[1871]: Bad service flag: Bastille: [line=14] > > xinetd[1871]: Bad service flag: ignore [line=14] > > xinetd[1871]: Bad service flag: hosts.allow [line=14] > > This has already been fixed in CVS and later rc candidates: > http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/bastille-linux/dev/1.2.x/Bastille/Bastille/SecureInetd.pm.diff?r1=text&tr1=1.14&r2=text&tr2=1.15&diff_format=u > > New issues: > - the libwrap code in RHAT 7.0 xinetd does not like the > inline comment on the finger DENY line in hosts.allow > (fixed in CVS) > http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/bastille-linux/dev/1.2.x/Bastille/Bastille/SecureInetd.pm.diff?r1=text&tr1=1.15&r2=text&tr2=1.16&diff_format=u > - Red Hat 7.0 does not honor NOLIBWRAP in xinetd configs > (fortunately this does not _seem_ to cause problems) > - RHAT 7.0 does not have "disable" lines in all xinetd configs > but it does have "server" lines > > I think this repoens the discussion about trying to force people to > use xinetd "only_from"/"no_access"/etc. instead of hosts.allow. > Maybe we should rip out all the xinetd "flags" and "no_access" changes > and simply edit hosts.allow > > Jay, whaddya say? I'm really, really starting to think this is a good idea. Everybody I talk to about xinetd really hates this new method of access control and the distributions aren't behind it enough to actually disable xinetd's use of libwrap. Any objections? - Jay |
