[1384] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: xinetd v. tcp-wrappers

daemon@ATHENA.MIT.EDU (Nigel Metheringham)
Thu Jan 16 12:27:12 1997

To: cschuber@uumail.gov.bc.ca
cc: linux-security@redhat.com,
        linux-security@tarsier.cv.nrao.edu (linux-security)
From: Nigel Metheringham <Nigel.Metheringham@ThePLAnet.net>
In-reply-to: Your message of "Wed, 15 Jan 1997 07:18:38 PST."
             <199701151518.HAA00739@cwsys.cwent.com> 
Date: Thu, 16 Jan 1997 12:45:38 +0000
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

} Xinetd will perform its checks, fork and exec the service program.  It does
} not do much of the "paranoid" DNS verification that tcpd does.
} 
} [mod: Thus it is open to the attack that the "paranoid" DNS verification
} fixes. i.e. create a reverse mapping for bad.host.attacker.com that reads
} trusted.host.victim.com and you can use services that were not intended 
} for you.... -- REW]

Not exactly... xinetd does *no* DNS checks so is immune to DNS spoofing!  
The access controls are specified as IP addresses.  This is obviously good 
for some applications and rubbish for others (you can always run tcpd 
under xinetd).

[mod: I stand corrected. Thanks. -- REW]

Adding tcpd's domain lookups into xinetd would require xinetd to fork and 
then do its access checks since the DNS calls would otherwise block xinetd 
causing it to be very sluggish.

NB If people are interested I have a patch around which adds explicit 
netmask specification to all address range specs.  I have passed this to 
the maintainers, but its not been taken up as yet.

	Nigel.


-- 
[ Nigel.Metheringham@theplanet.net   - Unix Applications Engineer ]
[ *Views expressed here are personal and not supported by PLAnet* ]
[ PLAnet Online : The White House          Tel : +44 113 251 6012 ]
[ Melbourne Street, Leeds LS2 7PS UK.      Fax : +44 113 2345656  ]
[Q: You know when you run sendmail....  A: No, you DELETE sendmail]


home help back first fref pref prev next nref lref last post