Maybe it's time to get rid of tcpwrappers/tcpd?
Miloslav Trmač
mitr at volny.cz
Thu Mar 20 21:22:19 UTC 2014
2014-03-20 20:55 GMT+01:00 Hans de Goede <hdegoede at redhat.com>:
> Lennart says:
> 1) It is horrible code
> 2) It really really is horrible horrible code
> 3) And there are other ways to achieve the same goal, so lets kill it
>
> Others say:
> 1) There may be other ways but non so easily central managed with with
> a unified syntax for all services
>
Yes. It's notable that almost every widely-used network server that
doesn't use tcp_wrappers has needed to add a very similar set of options;
so we shouldn't expect that tcp_wrappers were removed users would stop
using or asking for that kind of functionality.
Centralizing the language, semantics and implementation is clearly a better
UI and better design. Not only for the common case of "the same option has
a different name in the other daemon", but also for the corner cases like
error behavior where various independent implementations differ in
surprising ways. Such surprises are great starting points for attackers
looking to bypass policy.
>From the users' POV, moving from tcp_wrappers to per-daemon configuration
is a clear step backwards. If the implementers' POV differs, that's a
reason to change the implementation, not to discard the feature.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140320/2fd42992/attachment.html>
More information about the devel
mailing list