Janusz Krzysztofik wrote:
>
> Maybe vino does not provide libwrap with valid server socket data, like
> in the case of tcpdmatch without server address specified? Maybe other
> applications don't do as well? If this is the case, I think libwrap must
> be patched for security.
That is why I filed the bug report and set the severity as high as I
did. None of the tests I performed indicated that the version of
libwrap in testing/unstable were respecting hosts.deny at all. As it
stands currently, you can utilized a valid documented method of calling
the hosts_ctl function (from the manpage):
int hosts_ctl(daemon, client_name, client_addr, client_user)
hosts_ctl() is a wrapper around the request_init() and hosts_access()
routines with a perhaps more convenient interface (though it does not
pass on enough information to support automated client username
lookups). The client host address, client host name and username argu-
ments should contain valid data or STRING_UNKNOWN. hosts_ctl() returns
zero if access should be denied.
as vino does (server/libvncserver/sockets.c):
if(!hosts_ctl("vnc",STRING_UNKNOWN,inet_ntoa(addr.sin_addr),
STRING_UNKNOWN)) {
rfbLog("Rejected connection from client %s\n",
inet_ntoa(addr.sin_addr));
close(sock);
return;
}
and the configuration in hosts.deny will be effectively ignored.
--
Jamin W. Collins
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
