Enhancement #2785

Drop TCP wrappers hosts.allow hosts.deny templates

Added by Davide Principi about 7 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Some legacy templates still configure tcpwrappers, namely

  • ntpd
  • sshd
  • slapd

The same functionality is offered by the "modern" kernel firewall. To ease maintainability, we could remove the following templates, and replace with empty (?) files

/etc/hosts.allow
/etc/hosts.deny
/etc/localnetworks


Related issues

Related to NethServer 6 - Feature #1087: /etc/localnetworks Local networks file CLOSED 05/02/2012
Related to NethServer 6 - Bug #2847: Remote access: web interface error when changing the SSH ... CLOSED
Related to NethServer 6 - Bug #2928: slapd Upstart status is out of control if BDB is corrupted CLOSED
Related to NethServer 6 - Bug #3332: Warning message "grep: /etc/hosts.allow: No such file or ... CLOSED

Associated revisions

Revision 29e7133c
Added by Davide Principi almost 7 years ago

hosts.allow/deny template: removed sshd settings. Refs #2847 #2785

Revision 90a5d20f
Added by Davide Principi almost 7 years ago

hosts.allow/deny templates: removed slapd fragment. Refs #2928 #2785

Revision d61b2d69
Added by Giacomo Sanchietti almost 7 years ago

Remove hosts.{allow,deny}. Refs #2785

Revision b73311ee
Added by Giacomo Sanchietti almost 7 years ago

createlinks: remove hosts.{allow,deny}. Refs #2785

Revision 8d207843
Added by Giacomo Sanchietti almost 7 years ago

createlinks: remove hosts.{allow,deny}. Refs #2785

Revision 621e1f5a
Added by Giacomo Sanchietti almost 7 years ago

Remove hosts.{allow,deny}. Refs #2785

Revision e0fe465a
Added by Giacomo Sanchietti over 6 years ago

Remove hosts.allow, hosts.deny and localnetworks files. Refs #2785

Revision a4660656
Added by Giacomo Sanchietti over 6 years ago

Merge remote-tracking branch 'origin'. Refs #2785

Revision f366ad8b
Added by Giacomo Sanchietti over 6 years ago

Merge branch 'b2785'. Refs #2785

Revision b492bf45
Added by Giacomo Sanchietti over 6 years ago

Merge branch 'b2785'. Refs #2785

Revision 01a8f7cc
Added by Giacomo Sanchietti over 6 years ago

Merge branch 'b2785'. Refs #2785

Revision 064607c9
Added by Davide Principi over 6 years ago

Merge branches: Refs #2785 #2845

History

#1 Updated by Davide Principi about 7 years ago

  • Target version set to ~FUTURE

#2 Updated by Davide Principi about 7 years ago

  • Related to Feature #1087: /etc/localnetworks Local networks file added

#3 Updated by Filippo Carletti almost 7 years ago

  • Target version changed from ~FUTURE to v6.6-beta1

#4 Updated by Davide Principi almost 7 years ago

  • Related to Bug #2847: Remote access: web interface error when changing the SSH port added

#5 Updated by Davide Principi almost 7 years ago

  • Related to Bug #2928: slapd Upstart status is out of control if BDB is corrupted added

#6 Updated by Davide Principi almost 7 years ago

  • Subject changed from Drop tcpwrappers host.allow host.deny templates to Drop TCP wrappers hosts.allow hosts.deny templates

#7 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#8 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#9 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 30 to 60
Implemented in branch b2785 inside following packages:
  • nethserver-base
  • nethserver-openssh
  • nethserver-ntp
  • nethserver-directory

#10 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 60 to 30

Also remove expanded templates if already in place.

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from v6.6-beta1 to v6.5

#12 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#13 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70

Everything merged to master branch.

Packages in nethserver-testing:
  • nethserver-directory-2.0.4-1.3gitb492bf4.ns6.noarch.rpm
  • nethserver-openssh-1.0.6-6.0git01a8f7cc.ns6.noarch.rpm
  • nethserver-ntp-1.0.6-2.0gitf366ad8b.ns6.noarch.rpm
  • nethserver-base-2.5.3-16.0gita4660656.ns6.noarch.rpm
Test case 1
  • Check ldap, openssh and ntp are correctly running
Test case 2
  • Check following files don't exists:
    /etc/hosts.allow
    /etc/hosts.deny
    /etc/localnetworks
    

#14 Updated by Stefano Fancello over 6 years ago

  • Assignee set to Stefano Fancello

#15 Updated by Stefano Fancello over 6 years ago

  • Assignee changed from Stefano Fancello to Davide Principi
  • NEEDINFO changed from No to Yes

Both test cases VERIFIED, but setup-2.8.14-20.el6_4.1.noarch package result broken after that:

# rpm -V setup
missing   c /etc/hosts.allow
missing   c /etc/hosts.deny

Is it correct?

#16 Updated by Davide Principi over 6 years ago

  • NEEDINFO changed from Yes to No

Stefano Fancello wrote:

Is it correct?

I noticed, it is documented in hosts.allow manpage:

A non-existing access control file is treated as if it were an empty file.

I think it's ok to leave it as is: the setup package can restore the distro defaults on next update.

#17 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

I think it's ok to leave it as is: the setup package can restore the distro defaults on next update.

I agree, we can move on with the release.

#18 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-ntp-1.0.7-1.ns6.noarch.rpm
  • nethserver-openssh-1.0.8-1.ns6.noarch.rpm
  • nethserver-directory-2.0.5-1.ns6.noarch.rpm
  • nethserver-base-2.5.4-1.ns6.noarch.rpm

#19 Updated by Davide Principi over 5 years ago

  • Related to Bug #3332: Warning message "grep: /etc/hosts.allow: No such file or directory" added

Also available in: Atom PDF