Fedora tcp_wrappers (missing) support for custom acl scripts, aclexec

Mon Jan 12 08:15:39 UTC 2015

On 01/11/2015 09:22 PM, Pasi Kärkkäinen wrote:
> Hello,
> 
> People who have their names in the Fedora tcp_wrappers changelog added to CC list..
> 
> Any comments about the below? Obviously aclexec feature would be useful for all services using tcpwrappers/libwrap (ftp,telnet,tftp,ident,nfs, and many others),
> and thus very nice to have.
> 

Hi

please file a RFE bug on tcp_wrappers. I'll try to use the Debian patch.
I'm going to use the Debian patch adding tcpwrappers support in
openssh-6.7p1 likewise.

Petr

> 
> On Sat, Jan 10, 2015 at 12:16:38AM +0200, Pasi Kärkkäinen wrote:
>> Hello,
>>
>> I recently noticed Debian/Ubuntu has had support for "aclexec" in tcp_wrappers via a custom patch since 2006,
>> so you can do this in /etc/hosts.allow or hosts.deny:
>>
>> sshd: ALL: aclexec /usr/local/bin/sshfilter.sh %a
>>
>> if sshfilter.sh returns true the access is allowed, if sshfilter.sh returns false the access is denied.
>> Very handy for integrating DNS RBLs and other IP databases etc.
>>
>> What do people feel about that? I'd like to see support for aclexec included in Fedora's tcp_wrappers package.
>>
>> I don't think there has been any upstream releases of tcp_wrappers in the near past,
>> so that aclexec feature is not upstream.. but the patch that Debian/Ubuntu are using is available.
>>
>>
>> Debian tcp_wrappers changelog:
>> http://archive.debian.net/changelogs/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-16/changelog
>>
>> "New patch aclexec: adds the aclexec command and its documentation." was added in 2006.
>>
>>
>> Thanks,
>>
>> -- Pasi
>>
> 

-- 
Petr Lautrbach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150112/73fec4df/attachment.sig>