Socket Wrappers Background Info
 

Main Page

Socket_wrappers

    

Socket Wrappers is an improved version of tcp_wrappers by Wietse Venema. I am one of the maintainers of xinetd which in 2001 was listed on bugtraq. I spent a great deal of time cleaning up all the xinetd code and then started into its libraries. This eventually led me to look into tcp_wrappers. I started looking around an realized that it needed just a little cleaning up. It's been a great piece of software, but its time to move it from K&R to ANSI code so that compilers and lint tools can do a better job of checking the code.

I started off by contacting Wietse and we have traded e-mails on all the modifications I've made. I'm publishing socket_wrappers at this point because an updated version of tcp_wrappers appears to be slow going, my attention has been shifted to re-designing xinetd, and these changes are low risk but important for applications that depend on tcp_wrappers. It is my hope that these changes get picked up in the next version of tcp_wrappers, but until then...you have socket_wrappers.

The improvements are probably best described as subtle, but they are important. The improvements generally are to make tcp_wrappers a better third party library. This is accomplished by prepending 'tcpd_' to all functions that are not in the public API. In this way, there is less chance for name collisions.

Files that were no longer needed were removed. Tcp_wrappers provided its own versions of functions that were in glibc, so why not remove them? For example, it provides: getenv(), putenv(), setenv(). Removing these reduced the size of the text segment of the compiled application.

Another problem that was found with tcp_wrappers is that it simply replaces the SIGALRM handler with its own signal handler without respecting the application's previously installed alarm handlers. The improvement was to move to a select() based technique that timed out the socket connections. This lets the application set an alarm handler and not worry about it getting replaced.

Another improvement was to change the whole library over from K&R coding to ANSI C style. This lets compilers & analytical tools do a better job. It also makes the library more inline with current programming conventions.

The header tcpd.h was split up to separate the public API from the internal API for the programs that make up the tcp_wrappers package. Usually, all functions and structure declarations in a header file are assumed to be public. However, there were prototypes for functions used only by tcpd & the test programs tcpdmatch and tcpdchk that should not be in a public API. The man pages were also updated with preliminary support for a couple public functions that were otherwise undocumented.

The rfc931 code (identd) has a call to fgets which will wait for an indefinite amount of time. This is dangerous in that it could be used to hang a server with a specially concocted identd server. This was not a problem in the original tcp_wrappers, because it used setjmp and an alarm to get it out of trouble. So you may ask what was wrong with the original implementation? Well, it called longjmp from a signal handler when it should have been using siglongjmp. This can lead to permanently blocking SIGALRM since its not restored by the normal longjmp. Wietse didn't like siglongjmp because of portability concerns, so a select based technique was chosen.

I also discovered that Supplemental groups were not being dropped by tcp_wrappers. Originally, these didn't exist and over the years, the was never updated to handle this. If you want the old/traditional behavior, just comment out the SUP_GROUPS option in the makefile. (Its on by default.) It was indicated to me that this area will be addressed in a future version of tcp_wrappers.

A bug was discovered that if the deny file has bad permissions or a signal comes in as tcp_wrappers was opening the deny table, tcp_wrappers will unconditionally grant access to whatever was supposed to be protected. table_match() returns a NO on error, but the deny_table evaluation checks for YES. If NO is returned, host_access returns YES...which means its OK to allow access. The fix is to introduce a third return code, ERROR, and propogate it up the function calls. then in host_access() test for ERROR being returned and return a NO if it has. Its better to return NO and deny access than it is to return YES and grant access by accident. tcpd is not very susceptible to this problem since its unlikely to receive a signal. However, if libwrap is linked to xinetd, proftpd, or OpenSSH, then they are at risk since they receive SIGCHLD periodically.

Finally, this version has been updated to have a make install and uninstall target. And I added a rpm spec file so that you can build by doing this:

rpm -tb socket_wrappers-7.6.tar.gz

You can then install just like any other package. You should do an rpm -e tcp_wrappers before installing socket_wrappers, though. The basis for this is that socket_wrappers will install files with the same names. Running erase after installing socket_wrappers will delete the files provided by socket_wrappers.

If you find any bugs in the library, I would like to hear about it. I only plan to publish this until a new version of tcp_wrappers is published by Wietse that updates most if not all of these concerns. At that point, I will withdraw the package. It should be noted that this package is tuned for Linux, but it should work with little modification on other modern Unix systems. Just be sure to look at the install & uninstall targets in the Makefile.

-Steve Grubb
linux_4ever @ yahoo, com

This page was last updated: 05 January, 2003