[CentOS] Re: Re: Re: Re: Re: What libs req'd to resolveDNSwithinachrootjail?

Tue Jan 15 19:33:07 UTC 2008
mouss <mlist.only at free.fr>

Eric B. wrote:
>>>> Can you post your complete hosts.allow and hosts.deny files?
>>> Not much to them actually:
>>> /chroot/tftpd/etc/hosts.allow:
>>> #
>>> # hosts.allow   This file describes the names of the hosts which are
>>> #               allowed to use the local INET services, as decided
>>> #               by the '/usr/sbin/tcpd' server.
>>> #
>>> in.tftpd : eric.test.com : allow
>>>
>>> /chroot/tftpd/etc/hosts.deny:
>>> #
>>> # hosts.deny    This file describes the names of the hosts which are
>>> #               *not* allowed to use the local INET services,
>>> as decided
>>> #               by the '/usr/sbin/tcpd' server.
>>> #
>>> in.tftpd : ALL : deny
>>>
>>>
>>>
>>> Again, I have concerns that I might be missing something in
>>> my chroot jail, but when I change my hosts.allow file to read
>>> the following, it works fine.
>>> in.tftpd: 192.168.3.103 : allow
>>>
>>> So I am utterly and totally confused.  I keep thinking that
>>> there must be something DNS related that I need in the chroot
>>> jail that I am missing.
>>> I do have a /chroot/tftpd/etc/resolv.conf with the nameserver
>>> entry that points to the DNS server, and all files in my
>>> /chroot/tftpd/etc dir are world readable.  I also have a
>>> /chroot/tftpd/etc/hosts file (that is pretty much empty -
>>> just a line for 127.0.0.1).
>>>
>>> # ls -l /chroot/tftpd/etc
>>> -rw-r--r--  1 root root   148 Jan 14 17:53 hosts
>>> -rw-r--r--  1 root root   417 Jan 14 17:37 hosts.allow
>>> -rw-r--r--  1 root root   370 Jan 13 12:13 hosts.deny
>>> -rw-r--r--  1 root root  1267 Jan 12 21:43 localtime
>>> -rw-r--r--  1 root root  1686 Jan 12 15:50 nsswitch.conf
>>> -rw-r--r--  1 root root    86 Jan 14 17:52 resolv.conf
>>> -rw-r--r--  1 root root 20373 Jan 12 15:47 services
>>>
>>>
>>> Is there anything else I need that I am missing?  Either
>>> config file or lib?
>>>
>>> Any suggestions of things I can try?
>>>
>>> Thanks,
>>>
>>> Eric
>>>
>> Something I found:
>>
>> 15.2.3.2. Access Control
>>
>> Option fields also allow administrators to explicitly allow or deny
>> hosts in a single rule by adding the allow or deny directive as the
>> final option.
>>
>> For instance, the following two rules allow SSH connections from
>> client-1.example.com, but deny connections from client-2.example.com:
>>
>> sshd : client-1.example.com : allow
>> sshd : client-2.example.com : deny
>>
>> By allowing access control on a per-rule basis, the option field allows
>> administrators to consolidate all access rules into a single file:
>> either hosts.allow or hosts.deny. Some consider this an easier way of
>> organizing access rules.
>>
>> Conceivably, you could put all rules into one file (hosts.allow maybe).
>> See if that helps..
> 
> Just tried putting everything in the hosts.allow but didn't make any 
> difference.  Tried also in the hosts.deny bu no success either.
> 
> Where did you find that reference?  What does 15.2.3.2 point to?
> 
> Any other ideas / theories?
> 

- make sure tftpd is really using the in.tftpd name (you said it works 
with IPs?)
- make sure it does resolve the IP correctly. I have no idea how you 
could test this.

but what is the benefit in managing the zone file instead of hosts.*? I 
mean, since you put the IP in the DNS zone file, why not put it in hosts.*?