On Fri, Jul 07, 2006 at 09:44:19AM +0200, Marco d'Itri wrote: > On Jul 07, Pigeon <[EMAIL PROTECTED]> wrote: > > > /etc/hosts.allow and /etc/hosts.deny are set to allow connections from > > 192.168.1.4, and they work as expected where other services are > > concerned. Connecting from localhost produces the same result. > Hard to believe.
I thought the same :-)
> Please show your complete and unedited configuration files.
OK. These are what I've been testing with - they're rather more
permissive than my eventual intention, to eliminate the possibility of
the problem being due to me cocking something up :-)
=====================================================================
### BEGIN /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and
# /usr/share/doc/portmap/portmapper.txt.gz for further information.
#
imap: ALL
imaps: ALL
portmap: 127.0.0.1
sshd: ALL
smtp: ALL
### END /etc/hosts.allow
=====================================================================
### BEGIN /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper. See portmap(8)
# and /usr/doc/portmap/portmapper.txt.gz for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL
### END /etc/hosts.deny
=====================================================================
### BEGIN /etc/inetd.conf (not working)
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet server configuration database
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#:STANDARD: These are standard services.
#:BSD: Shell, login, exec and talk are BSD protocols.
#:MAIL: Mail, news and uucp services.
imap stream tcp nowait root /usr/sbin/tcpd
/usr/lib/dovecot/imap-login
imaps stream tcp nowait root /usr/sbin/tcpd
/usr/lib/dovecot/imap-login --ssl
#:INFO: Info services
#:BOOT: Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
### END /etc/inetd.conf (not working)
=====================================================================
### BEGIN /etc/inetd.conf (working)
# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet server configuration database
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#:STANDARD: These are standard services.
#:BSD: Shell, login, exec and talk are BSD protocols.
#:MAIL: Mail, news and uucp services.
imap stream tcp nowait root /usr/sbin/tcpd
/usr/local/lib/dovecot/imap
imaps stream tcp nowait root /usr/sbin/tcpd
/usr/local/lib/dovecot/imap --ssl
#:INFO: Info services
#:BOOT: Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
### END /etc/inetd.conf (working)
=====================================================================
### BEGIN ls -al /usr/lib/dovecot
/usr/lib/dovecot:
total 576
drwxr-xr-x 2 root root 4096 2006-07-07 03:23 .
drwxr-xr-x 27 root root 4096 2006-07-07 00:22 ..
-rwxr-xr-x 1 root root 127116 2006-05-19 11:05 dovecot-auth
-rwxr-xr-x 1 root root 348268 2006-05-19 11:05 imap
-rwxr-xr-x 1 root root 84940 2006-05-19 11:05 imap-login
### END ls -al /usr/lib/dovecot
=====================================================================
### BEGIN ls -al /usr/local/lib/dovecot
/usr/local/lib/dovecot:
total 8
drwxr-sr-x 2 root staff 4096 2006-07-07 03:20 .
drwxrwsr-x 4 root staff 4096 2006-07-07 03:19 ..
lrwxrwxrwx 1 root staff 27 2006-07-07 03:20 imap ->
/usr/lib/dovecot/imap-login
### END ls -al /usr/local/lib/dovecot
=====================================================================
> > The "sledgehammer" experiment of deleting the imap-login binary gives
> > the incredible result that no change in the behaviour is observed.
> > "ps axf" on the server still shows that /usr/lib/dovecot/imap-login
> > has been started in response to the incoming connection, even though
> > the file no longer exists. !!!
> ps is showing argv[0], which you set in inetd.conf.
OK. It still seems somewhat odd to me that ps shows a nonexistent
executable executing, for 5 seconds... for the crack, I've just tried
executing "/usr/sbin/tcpd /usr/bin/thisisnthere" from the command line
and that too runs for 5 seconds doing nothing. I included the info in
case it was relevant...
The main point of that paragraph is that the behaviour with no
imap-login binary at all is identical to the behaviour with the
imap-login binary present. For some reason the imap-login binary
simply isn't being executed. As I mentioned, this can be further
demonstrated by compiling the binary after inserting several
instances of i_warning("It got to here"); at useful points in the
source code. These produce the expected behaviour when executing
imap-login from the command line, but produce nothing at all when
it is run from inetd.
--
Pigeon
Be kind to pigeons
Get my GPG key here:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
signature.asc
Description: Digital signature
