Package: libwrap0 Version: 7.6.q-30 Severity: important Dear Maintainer,
man hosts_options says that The allow and deny keywords make it possible to keep all access control rules within a single file, for example in the hosts.allow file. and specifically for aclexec The connection will be allowed or refused depending on whether the command returns a true or false exit status. However aclexec directive in hosts.allow doesn't block requests and seems to skip other directives in hosts.allow. >From the documentation I would assume that the following should block any ssh connections but it doesn't when put in hosts.allow sshd: ALL : aclexec /bin/false Even if I add a deny rule to hosts.allow the connection still goes through sshd: ALL : aclexec /bin/false sshd: ALL : DENY If I add the same aclexec configuration to hosts.deny it works (with the reversed logic). The following will block all ssh connection sshd: ALL : aclexec /bin/true And using /bin/false will allow all ssh connections. It seems that returning failure in aclexec command in hosts.allow stops processing hosts.allow and starts processing hosts.deny which then must have configuration to block the connection. Therefore aclexec in hosts.allow behaves differently from using it in hosts.deny which really isn't clear from the documentation which states that hosts.allow can be used as a single configuration file and that exit code of the aclexec script determines if the request is accepted or rejected. This may lead to more permissive access than expected. I can't really say if it is a problem with aclexec or if it is an expected behaviour and the documentation is just inaccurate. I tested this on Debian Buster and Debian testing and both behave the same. thank you for your help Martin Kraus -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.6-1 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libwrap0 depends on: ii libc6 2.29-10 libwrap0 recommends no packages. libwrap0 suggests no packages. -- no debconf information
