The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


vhost


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Mon, 05 Jan 1998 11:42:06 +0500 (ESK)
Date: Fri, 2 Jan 1998 02:58:28 -0800
From: Jim Dennis <[email protected]>
To: [email protected]
Subject: Re: vhost

> Hello,
>
> Well, this problem is too simple, so I'm not even sure it's worth posting,
> but here it is anyway. This applies to vhost v0.4, available at:
> ftp://ftp.solucorp.qc.ca/pub/linuxconf/devel/vhost-0.4.tar.gz

        ...<ellided>...

> Below is a quick and dirty patch that fixes the above problems. The real
> fix would be re-coding, since the whole thing (which is only 4 Kb of C
> source) looks quite broken. For example, it updates password files with
> no locking, while there can be multiple connections at a time.

        I think "the real fix" would be to use the features that are
        already in tcpd.  I had an e-mail conversation with Wietse
        Venema last year in which he pointed out that TCP Wrappers
        can do virtual hosting.

        Here's a sample /etc/hosts.allow that enables a sample
        virtual service:

# hosts.allow
[email protected] : ALL : twist /bin/echo "Go away"

        ( set this up just for testing access from localhost.

        All I had to do to test this was issue the following
        commands:

        > ifconfig lo:1 127.0.0.2 up
        > telnet 127.0.0.2

        (This assumes you have the PROCESS_OPTIONS compile time
        option defined in TCP Wrappers -- and, of course, you have
        TCP Wrappers wrappers installed in inetd.conf).

        It was actually mildly embarassing to me at the time --
        since I had copied him on a message posted to "The Answer Guy"
        -- asking noting this as an enhancement request.  So he was
        pointing out that I simply hadn't read the man pages
        carefully enough (it's in host_options(5)).

        Another option would be to add support for libwrap into
        vhost  and link it in.  However, it sounds like vhost's
        code would have to be cleaned up considerably -- and it
        probably would be a major duplication of effort.  You can
        already call chrootuid (another program by Wietse) in
        your 'twist' directive.

        Perhaps the authors of vhost should seriously consider
        reviewing the tcpd code and asking themselves what benefits
        will accrue from continued effort in that.  If they are
        going to continue their work I'd point them at Matt Bishop's
        web pages where he has published safer versions of system(),
        popen() and a library called 'trustfile'.

        His web pages are at:

                http://olympus.cs.ucdavis.edu/~bishop/

        In particular he has a paper on "Writing Safe Setuid Programs"
        at:
                http://olympus.cs.ucdavis.edu/~bishop/secprog.html

        Wietse's work can usually be found at:

                ftp.win.tue.nl:/pub/security

        (though that seems to be refusing connections at the moment).

        I've never found a web site for him.

--
Jim Dennis  (800) 938-4078              [email protected]
Proprietor, Starshine Technical Services:  http://www.starshine.org
        PGP  1024/2ABF03B1 Jim Dennis <[email protected]>
        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру