Security with TCP_WRAPPERS

With the original inetd service, the servers that were managed rarely had any advanced access control options of their own. These services were often remnants of the early days of the Internet, when systems were a little more trusted than they are today. Examples of these mostly deprecated services are finger, echo, daytime, telnet, shell, exec, and talk, to name a few. xinetd added some more advanced controls, but both inetd and xinetd are able to utilize the TCP_WRAPPER service to aid in access control.

In order to utilize TCP_WRAPPERS, inetd needs to call the user-space program /usr/bin/tcpd with an argument of the desired service, in order to “wrap” that service in the access control. This is not necessary with xinetd, as the xinetd binary has TCP_WRAPPERS support built-in, by nature of its link with the libwrap library. You can see this with the /usr/bin/ldd command:

# ldd /usr/sbin/xinetd
        linux-gate.so.1 =>  (0x0012d000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x0012e000)
        libwrap.so.0 => /lib/libwrap.so.0 (0x00149000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00151000)
        libm.so.6 => /lib/libm.so.6 (0x0016a000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00193000)
        libc.so.6 => /lib/libc.so.6 (0x001c5000)
        libdl.so.2 => /lib/libdl.so.2 (0x0031e000)
        /lib/ld-linux.so.2 (0x00110000)

Other services also have native TCP_WRAPPERS support by nature of their links to libwrap.so, including /usr/sbin/sshd and /usr/sbin/sendmail. You can run a simple shell script to determine ...

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.