[1384] in linux-security and linux-alert archive
[linux-security] Re: Re: xinetd v. tcp-wrappers
daemon@ATHENA.MIT.EDU (Nigel Metheringham)
Thu Jan 16 12:27:12 1997
To: cschuber@uumail.gov.bc.ca
cc: linux-security@redhat.com,
linux-security@tarsier.cv.nrao.edu (linux-security)
From: Nigel Metheringham <Nigel.Metheringham@ThePLAnet.net>
In-reply-to: Your message of "Wed, 15 Jan 1997 07:18:38 PST."
<199701151518.HAA00739@cwsys.cwent.com>
Date: Thu, 16 Jan 1997 12:45:38 +0000
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
} Xinetd will perform its checks, fork and exec the service program. It does
} not do much of the "paranoid" DNS verification that tcpd does.
}
} [mod: Thus it is open to the attack that the "paranoid" DNS verification
} fixes. i.e. create a reverse mapping for bad.host.attacker.com that reads
} trusted.host.victim.com and you can use services that were not intended
} for you.... -- REW]
Not exactly... xinetd does *no* DNS checks so is immune to DNS spoofing!
The access controls are specified as IP addresses. This is obviously good
for some applications and rubbish for others (you can always run tcpd
under xinetd).
[mod: I stand corrected. Thanks. -- REW]
Adding tcpd's domain lookups into xinetd would require xinetd to fork and
then do its access checks since the DNS calls would otherwise block xinetd
causing it to be very sluggish.
NB If people are interested I have a patch around which adds explicit
netmask specification to all address range specs. I have passed this to
the maintainers, but its not been taken up as yet.
Nigel.
--
[ Nigel.Metheringham@theplanet.net - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK. Fax : +44 113 2345656 ]
[Q: You know when you run sendmail.... A: No, you DELETE sendmail]