Stephen Beahm
2010-Dec-03 20:32 UTC
[Nut-upsdev] [PATCH] upsd tcp_wrappers parsing and logging
Parsing bug was discussed here:
<http://lists.alioth.debian.org/pipermail/nut-upsuser/2010-September/006230.html>
Parsing bug summary
-------------------
working /etc/hosts.allow:
upsd 127.0.0.1 [::1] : ALLOW
broken in /etc/hosts.allow:
upsd localhost : ALLOW
It looks like upsd originally intended to match nut username with system
username? This is not the case now. This causes /etc/hosts.allow information to
be incorrectly parsed. This patch fixes the issue.
Logging was discussed here:
<http://lists.alioth.debian.org/pipermail/nut-upsuser/2010-September/006237.html>
tcp_wrappers was designed around servers that use a separate process for each
connection. The library has a function called refuse() that logs messages and
then calls exit() for that process. However, a single process server does not
exit, so it must perform its own logging. This patch adds logging for
tcp_wrapper denials.
---
server/upsd.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/server/upsd.c b/server/upsd.c
index 0e46595..eef5638 100644
--- a/server/upsd.c
+++ b/server/upsd.c
@@ -410,11 +410,13 @@ static void check_command(int cmdnum, ctype_t *client, int
numarg,
}
#ifdef HAVE_WRAP
- request_init(&req, RQ_DAEMON, progname, RQ_CLIENT_ADDR, client->addr,
RQ_USER, client->username, 0);
+ request_init(&req, RQ_DAEMON, progname, RQ_FILE, client->sock_fd, 0);
+ fromhost(&req);
if (!hosts_access(&req)) {
/* tcp-wrappers says access should be denied */
send_err(client, NUT_ERR_ACCESS_DENIED);
+ upslogx(deny_severity, "tcp_wrappers denied connection from %s",
eval_client(&req));
return;
}
#endif /* HAVE_WRAP */
--
1.7.3.2
Arjen de Korte
2010-Dec-03 21:51 UTC
[Nut-upsdev] [PATCH] upsd tcp_wrappers parsing and logging
Citeren Stephen Beahm <stephenbeahm op comcast.net>:> Parsing bug summary > ------------------- > working /etc/hosts.allow: > upsd 127.0.0.1 [::1] : ALLOW > > broken in /etc/hosts.allow: > upsd localhost : ALLOW > > It looks like upsd originally intended to match nut username with system > username?No. We want to match the NUT username (as configured in upsd.users). The reason why has been discussed before on this list.> This is not the case now.This is intentional. The change from RQ_CLIENT_ADDR to RQ_FILE will probably do away with some confusion for administrators setting this up, so I'll include that part of the patch. Whether or not we want additional logging, remains to be seen. It could help people setting up the server, but on the other hand might also lead to syslog flooding when logging failed attempts. At the moment I'm not convinced that we need more logging. Best regards, Arjen -- Please keep list traffic on the list (off-list replies will be rejected)