netbsd-bugs: bin/20829: identd from inetd loops due to libwrap

Subject: bin/20829: identd from inetd loops due to libwrap
To: None <gnats-bugs@gnats.netbsd.org>
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
List: netbsd-bugs
Date: 03/20/2003 21:16:01
>Number:         20829
>Category:       bin
>Synopsis:       identd from inetd loops due to libwrap
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 20 18:17:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Anne Bennett
>Release:        NetBSD 1.6
>Organization:
	
>Environment:
	
	
System: NetBSD quill.porcupine.montreal.qc.ca 1.6 NetBSD 1.6 (QUILL-20030316) #2: Sun Mar 16 21:36:47 EST 2003 anne@quill.porcupine.montreal.qc.ca:/nobackup/netbsd/netbsd-1.6/src/sys/arch/i386/compile/QUILL i386
Architecture: i386
Machine: i386
>Description:
	Enabling identd (the "auth" or port 113 service) by enabling
	the commented-out line in /etc/inetd.conf results in looping
	when a connection is made from the local host, because
	ident is called by librap while trying to ascertain whether
	the initial ident connection is permitted, causing another
	ident connection, and so on.  One must *never* tcp-wrap
	identd for exactly that reason.

        I tried placing "identd : ALL : allow" first in hosts.allow,
        but that did not help; it looks as though the ident call is
        made by default, even before it is determined that this
        information will be needed.  Since libwrap appears *not* to be
        compiled with "ALWAYS_RFC931", I think that is not supposed to
        happen (i.e. the ident call should be made only if
        "blah@hostname" appears in the line for that service in
        hosts.allow), so I don't know what's going on here.  I may be
        misunderstanding ALWAYS_RFC931.

>How-To-Repeat:
	Simply enable the "auth" service as present (commented out) in
        the default inetd.conf file, then make a connection from the
        local host to a service on the local host which is controlled
        by the /etc/hosts.allow file.  "finger" works nicely as an
        example.

>Fix:
	I worked around this by starting identd as a standalone
        daemon, but I don't consider this a particularly good solution.

        First possibility: make sure that ident calls are not made by
        libwrap unless and until it is determined by hosts.allow that
        such a call is necessary; in that case, putting a correct
        "ident" line early enough in hosts.allow would prevent the loop.

        Alternatively, it could be made possible to specify. in
        /etc/inetd.conf, exceptions to the libwrap call.  However,
        this seems like a more difficult fix, and not necessarily a
        better one.

        Another possibility would to have an option to indetd to turn
        off the use of libwrap, and also, supply tcpd for those of us
        who want to enable it on a case-by-case basis.

>Release-Note:
>Audit-Trail:
>Unformatted: