216 lines
7.4 KiB
HTML
216 lines
7.4 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html><head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.1preC">
|
|
<TITLE>The Answer Guy 33: "Virtual Hosting" inetd based services using
|
|
TCP Wrappers</TITLE>
|
|
<!-- ORIGINAL SUBJECT:
|
|
chroot, twist, and other rescue-boot fun
|
|
JTD SUBTITLE:
|
|
|
|
-->
|
|
</head>
|
|
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H1 align="center"><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
|
<a href="../index.html">The Answer Guy</a>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4 align="center">By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
|
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H4>
|
|
<p><hr><p>
|
|
<!--endcut ========================================================= -->
|
|
<H3><img src="../../gx/dennis/qbub.gif" alt="(?)"
|
|
width="50" height="28" align="left" border="0"
|
|
>"Virtual Hosting" inetd based services using TCP Wrappers</H3>
|
|
<p><strong>From Nick Moffitt on 23 Sep 1998 </strong></p>
|
|
<!-- begin body -->
|
|
|
|
<strong><p>
|
|
Hullo thar!
|
|
</p></strong>
|
|
|
|
<strong><p>
|
|
You mentioned that you might mail me some example conf files
|
|
to show me how you did all those nifty things we talked about on
|
|
Saturday. I'm actually working on setting up a chrooted system for
|
|
public use here at Penguin, so any examples would be keen (and no, I
|
|
haven't searched through the answer guy archives yet).
|
|
</p></strong>
|
|
|
|
|
|
<blockquote><img src="../../gx/dennis/bbub.gif" alt="(!)"
|
|
width="50" height="28" align="left" border="0"
|
|
>[Question stems from a discussion over beer and pizza at one
|
|
of the local user's groups events in my area. It relates to
|
|
using TCP Wrappers to launch different services or different
|
|
variations of a given service depending on the <EM>destination</EM>
|
|
address of the incoming request. Normally TCP Wrappers, all those
|
|
funny looking "/usr/bin/tcpd" references in your /etc/inetd.conf
|
|
file, is used to limit which hosts can connect to a service by
|
|
matching against the <EM>source</EM> address]
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>Here's a couple of trivial examples (I don't have a
|
|
copy of 'chrootuid' handy on this box, but you can find
|
|
it at cs.purdue.edu's "COAST" security tools archive).
|
|
</blockquote>
|
|
|
|
|
|
<table width="90%" bgcolor="#FFFFCC" border="1"><tr><td><pre>
|
|
# hosts.allow This file describes the names of the hosts which are
|
|
# allowed to use the local INET services, as decided
|
|
# by the '/usr/sbin/tcpd' server.
|
|
# $Revision: 1.3 $ by $Author: lg $ on $Date: 2003/02/03 21:50:23 $
|
|
#
|
|
in.ftpd: 127.0.0.1: ALLOW
|
|
in.ftpd@192.168.1.127: jimd@192.168.1.2: ALLOW
|
|
in.ftpd: ALL: DENY
|
|
in.telnetd@192.168.1.127: ALL: twist /bin/echo "Not Available\: Go Away!"
|
|
in.ftpd: 192.168.1.: ALLOW
|
|
ALL: 127.0.0.1
|
|
ALL: 192.168.1.
|
|
</pre></td></tr></table>
|
|
|
|
|
|
<blockquote>
|
|
These are order dependent. The first rule that matches
|
|
will be one one that tcpd uses --- so the ALL: rules at the
|
|
bottom are significant. If I put them first -- they'd
|
|
over-ride the more specific ones --- whereas here, they
|
|
don't.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
In this case my "normal" IP address on eth0 is 192.168.1.3
|
|
(canopus.starshine.org). For playing with tcpd I add an
|
|
eth0:1 alias (ifconfig eth0:1 192.168.1.127). That would
|
|
work as easily if it was a second interface --- ethernet,
|
|
PPP or whatever.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
Now, if I telnet localhost or telnet to canopus, everything
|
|
works fine. But if I telnet to the ...127 address it tells
|
|
me to go away. The hosts_options and the hosts_access(5)
|
|
man pages list a number of replacement operators like %a
|
|
for the source IP address of the request and %d for the
|
|
"daemon" name (argv[0] of the process). These parameters
|
|
can be used in the shell commands.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
Note that the "twist" option is completely different
|
|
than the "spawn" option. "spawn" seems to imply "ALLOW"
|
|
and spawns a process that is run <EM>in addition to</EM> the
|
|
service. This process is spawned with it's standard
|
|
file descriptors all set to /dev/null --- so it doesn't
|
|
interact with the user at all.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
The twist option runs an alternative to the requested
|
|
service. Thus, if you request my web server I might
|
|
"twist" that into a cat command what will spit out an
|
|
HTTP redirect with a simple 'echo' or 'cat' command
|
|
like so:
|
|
</blockquote>
|
|
|
|
|
|
|
|
<blockquote><blockquote><code>
|
|
www@192.168.64.127: ALL: twist /bin/cat /root/web.redirect
|
|
</code></blockquote></blockquote>
|
|
|
|
|
|
<blockquote>
|
|
I don't know of a way to to call for <EM>both</EM> a twist
|
|
and a spawn -- but you can write a script (or better,
|
|
a small C wrapper) to run the desired "spawn" commands
|
|
in the background (with outputs directed to /dev/null,
|
|
of course).
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
Naturally, of course, you'll want to follow proper coding
|
|
practices for "hostile" environments when you're writing
|
|
something that will be "exposed" to the Internet.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
Matt Bishop, at the UC Davis has some excellent papers on
|
|
this topic, and presents his own, more robust,
|
|
implementations of the system(), and popen() library calls
|
|
--- which are called msystem(), and mpopen() in his library.
|
|
</blockquote>
|
|
|
|
|
|
<blockquote>
|
|
Matt's site is at:
|
|
<A HREF="ftp://nob.cs.ucdavis.edu/pub/sec-tools"
|
|
>ftp://nob.cs.ucdavis.edu/pub/sec-tools</A>
|
|
(I think there's a web site there, too).
|
|
</blockquote>
|
|
<!-- end body -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1998, James T. Dennis <BR>
|
|
Published in <I>Linux Gazette</I> Issue 33 October 1998</H5>
|
|
<P> <hr> <P>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<table width="98%"><tr valign="center" align="center">
|
|
<td rowspan="3"><A HREF="../lg_answer33.html"><IMG
|
|
SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A></td>
|
|
<td><A HREF="floppy.html">floppy</a>
|
|
<td><A HREF="autocad.html">autocad</a>
|
|
<td><A HREF="scsi.html">scsi</a>
|
|
<td><A HREF="samba_pdc.html">samba_pdc</a>
|
|
<td><A HREF="virthost.html">virthost</a>
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="emacs_cc.html">emacs_cc</a>
|
|
<td><A HREF="ipmasq.html">ipmasq</a>
|
|
<td><A HREF="tty.html">tty</a>
|
|
<td><A HREF="shuffle.html">shuffle</a>
|
|
<td><A HREF="connect.html">connect</a>
|
|
</tr><tr valign="center" align="center">
|
|
<td><A HREF="hostavail.html">hostavail</a>
|
|
<td><A HREF="desqview.html">desqview</a>
|
|
<td><A HREF="catch22.html">catch22</a>
|
|
<td><A HREF="thanks2.html">thanks2</a>
|
|
<td><A HREF="typo.html">typo</a>
|
|
</tr></table>
|
|
<P> <hr> <P>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<A HREF="../index.html"><IMG SRC="../../gx/indexnew.gif"
|
|
ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"><IMG SRC="../../gx/homenew.gif"
|
|
ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes33.html"><IMG SRC="../../gx/back2.gif"
|
|
ALT="[ Previous Section ]"></A>
|
|
<A HREF="../vrenios.html"><IMG SRC="../../gx/fwd.gif"
|
|
ALT="[ Next Section ]"></A>
|
|
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
</body>
|
|
</html>
|
|
<!--endcut ========================================================= -->
|
|
|
|
|