Jamie Heilman wrote: >> Can I change this around a bit to achieve my goal - maybe make a new >> group called "foo" (say) and give that gid to in.telnetd and >> hosts.allow ... ? > > Obscuring your libwrap/tcpd configuration from your local users, at the > expense of allowing services to run as seperate, non-privileged users > is a bad idea. Privilege seperation provides a very tangible benefit, > obfuscated config files do not.
Another option would be to create a group, for example called "tcpwrap". Add tcpwrap:x:150:telnetd, sshd, irc, identd (This list is based on the users in /etc/passwd which appear to be for services that would benefit from tcpwrap. Adjust as appropriate.) Set /etc/hosts.allow to mod 0640 and ownership root:tcpwrap When tcpd is running as UID telnetd, it will also have group equivalence to GID tcpwrap, so it will be able to read /etc/hosts.allow --Joe
