Joe Moore wrote: > As to your later message: > setgroups() and initgroups() are not necessary. Already UID telnetd is able > to write to /var/run/utmp because of its membership in GID utmp.
Huh? > If they run as a user not listed for tcpwrap (such as an interactive > user), they will not be able to read /etc/hosts.allow. This may be a very > good thing: > > If /etc/hosts.allow is unreadable, and /etc/hosts.deny has ALL:ALL, tcpwrap > will prevent all connections. This is desirable if you want a more secure > system. This means that if you have not added telnetd to the tcpwrap group, > in.telnetd will not accept connections from anywhere, even if it's > accidentally (or intentionally) started (by a malicious? user) !!! Talk about a convoluted approach. If you want services which happen to use tcp wrappers and which happen to have been started without your knowledge to reject connections by default just don't use wildcards (ALL:) in hosts.allow. List every daemon explicitly. Don't rely on the side effects of misconfiguration to do something that the framework already allows. I'll say this one more time: the system isn't that broken, stop trying to fix it. There is no legitimate reason to jump through all these hoops just to hide your tcp wrappers configuration from your local users. If the requirements for your host dictate minimal access rights use an access control system thats been designed to achieve it without creating a huge mess. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
