Re: tcpd remarks warning

From: Greg A. Woods (woodsat_private)
Date: Fri Apr 02 1999 - 12:39:28 PST

Next message: John Line: "Re: tcpd remarks warning"

Previous message: Gregory Neil Shapiro: "Re: Possible local DoS in sendmail"
Maybe in reply to: Stefano Torricella: "tcpd remarks warning"
Next in thread: John Line: "Re: tcpd remarks warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Friday, April 2, 1999 at 09:32:59 (+0200), Stefano Torricella wrote: ]
> Subject: tcpd remarks warning
>
> i think that when a remark line is found, the parser must go to the
> next line without checking what is in the comment line.
>
> if you write a simple shell program :
> #!/bin/sh
> # this is a comment \
> echo "work !!"
>
> the bash or the bourne shell ignore \ on the comment line !

Remember though that the hosts.{deny,allow} files are not shell scripts.
You cannot assume the syntax rules for one apply to the other, or vice
versa.

Indeed many programs which implement "line continuation" syntax similar
to the "\<newline>" feature will suffer the same problem, including GNU
Make (and probably other makes, but not BSD make).

It's interesting to note that the line continuation feature is *NOT*
documented in the hosts_access(5) manual page.  Unless you've read the
source you shouldn't even know that you can use "\<newline>" to continue
a long entry onto the next line!  ;-)  [[ There is one hint in an
example. ]]

Of course if you read a bit more of the code you'll find that the
stripping of "\<newline>" is done before the check for comment
characters.

There is another even nastier undocumented "limitation" to TCP Wrappers
configuration files -- the maximum length of any "line", whether it is
split by "\<newline>" continuations or not, is BUFLEN-1, which is
normally 2047 bytes.

Futhermore you'll find that TCP Wrappers counts "lines" after the
continuations have been stripped too, which implies that if you use
continuations you'll have a much harder time finding the entry which
tcpdmatch (for example) claimes to have found.

In the end I've found it's more useful to split entries onto multiple
lines anyway (one per target host or network) and to never use
continuations -- which works just fine -- because it has the added
benefit of making it easier to debug which hostname or IP# matched
(tcpdmatch and verbose logging show the line number, and "line numbers"
reported match those my text editor knows about.  This also means I'm
not using an undocumented feature!  ;-)

(BTW, I think your English was more than adequate enough to get your
point across!)

--
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsat_private>      <robohack!woods>
Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>

Next message: John Line: "Re: tcpd remarks warning"
Previous message: Gregory Neil Shapiro: "Re: Possible local DoS in sendmail"
Maybe in reply to: Stefano Torricella: "tcpd remarks warning"
Next in thread: John Line: "Re: tcpd remarks warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:22 PDT