[sclug] Hosts.deny for NFS deny on Redhat Ent 4 update 4

Martin Summers Martin.Summers at ansys.com
Wed Apr 18 15:01:53 UTC 2007 

Hello there !

OK - some progress on here (well, a bit !)

The Redhat 4 looks pretty much the same as centos apart from
logos/trademarks and kernel being compiled with a different compiler
than centos 4 U4, buts that's the only differences I am aware of.

Checking the libwrap in rpc.mountd :-

 ldd rpc.mountd
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0xb7fc0000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xb7fa9000)
        libc.so.6 => /lib/tls/libc.so.6 (0xb7e7f000)
        /lib/ld-linux.so.2 (0xb7fda000)

...so yup, looks like it is linked against libwrap. 
Checking the portmap in /sbin for if "hosts.deny" ot "hosts.allow" is
mentioned:-

hosts_allow_table
/etc/hosts.allow

..so yes, looks like it certainly mentions the files (hosts.deny is
mentioned as well.)

I did a quick "service nfs stop" and then "service nfs start" which
seems to stop the portmapper (not the nfs.lockd as far as I can
tell...). 

Alex mentioned about if it was being run as a kernel service...well, as
far as I can tell, it is being run as a kernel service: I was not aware
that you had a choice on Redhat 4.4 these days ! Maybe that is why it is
ignoring the TCP wrappers file (!)
I checked that the hosts.deny was doing "its thing" by checking against
the ftp service and it denies it nicely. Redhat 4 manuals seem to say
that portmap will get denied if I stuff IP addresses in the hosts.deny
like I mentioned earlier....

One quick question - I don't know much about libwrap - using strings on
it seems to indicate that it uses hosts.allo and hosts.deny. Is this
something new / different compared with how hosts.allow and .deny used
to work ?

I have a feeling I am being a real "turnip" here (swap that out with any
root vegetble), but I can't see what it is I have missed.....Maybe its
time to test the 'ole commercial redhat support and see what gems they
come back with !

...or may I will shrug my shoulders and just use iptables ;-) (This is
more likely !)

Thanks for your help everyone !

Regards,

Martin


-----Original Message-----
From: sclug-bounces at sclug.org.uk [mailto:sclug-bounces at sclug.org.uk] On
Behalf Of Matt Dainty
Sent: Wednesday, April 18, 2007 3:08 PM
To: sclug at sclug.org.uk
Subject: Re: [sclug] Hosts.deny for NFS deny on Redhat Ent 4 update 4

* Alex Butcher <lug at assursys.co.uk> [2007-04-18 14:56:27]:
> 
> 2) Check whether all NFS-related services have been linked against 
> TCP_WRAPPERS;
> 
> # strings /sbin/portmap | grep -i hosts [...] /etc/hosts.allow 
> /etc/hosts.deny
> 
> should be a good enough test, I reckon.

You could also be linked against libwrap.

> 3) Check I'm not using a kernelspace NFS server. I'd guess that would 
> ignore the TCP_WRAPPERS config files.

I think it's probably rpc.mountd that's the important bit here. That
appears to be what validates the mount requests.

On CentOS 4.4 here, rpc.mountd is linked against libwrap, portmap isn't.

Matt
--
"I never deal with the common man. The common man has no spirituality.
The common man thinks that Ganesha is Dennis the Menace's dog."

More information about the Sclug mailing list