[Eug-lug] Wrapping for Access Control

Steve euglinux at nwtechops.com
Fri Jan 21 20:05:36 PST 2005 

On Fri, 2005-01-21 at 18:49 -0800, Jeff_W wrote:
> I'm trying to figure out how I can use TCP Wrappers to provide
> rudimentary access control for a python-based network service
> (PYGopherd). I've read a bunch of man pages and How-Tos on the web
> and have concluded that in order to get TCP Wrappers to provide
> access control there needs to be a wrapper for it and/or it needs
> to run out of inetd (this is a BSD system w/ tcpd's functions
> integrated into inetd). I've yet to come across some simple
> instructions for creating such a wrapper; tests done with simply
> adding PYG to /etc/services & /etc/inetd.conf and restarting have
> been unsuccessful - PYG starts & stops OK but connections produce
> this:
> 
> # Traceback (most recent call last):  File "/usr/pkg/bin/pygopherd", line 30, in
> # ?
> #     s = initialization.initeverything(conffile)
> #   File "/usr/pkg/lib/python2.3/site-packages/pygopherd/initialization.py", line
> #  187, in initeverything
> #     s = getserverobject(config)
> #   File "/usr/pkg/lib/python2.3/site-packages/pygopherd/initialization.py", line
> #  120, in getserverobject
> #     GopherRequestHandler)
> #   File "/usr/pkg/lib/python2.3/SocketServer.py", line 330, in __init__
> #     self.server_bind()
> #   File "/usr/pkg/lib/python2.3/site-packages/pygopherd/initialization.py", line
> #  100, in server_bind
> #     servertype.server_bind(self)
> #   File "/usr/pkg/lib/python2.3/SocketServer.py", line 341, in server_bind
> #     self.socket.bind(self.server_address)
> #   File "<string>", line 1, in bind
> # socket.error: (48, 'Address already in use')
> 
> 
> Having forgotten anything I might have learned about python, I really
> can't make much of this except that it appears the socket/port is
> not available to the application (maybe because inetd is listening
> on it?).
> 
> Anyways, is there some easy way of "wrapping" PYG for use w/ TCP
> Wrappers or do I need to look at something else like IP Filter,
> etc. ?
> 
> -Jeff

OK, let me see if I can get this right (and readable). I'm not a python
guru so excuse my ignorance in that respect. The script returns a socket
error so I am assuming that it is attempting to setup a listener. On the
other hand inetd is going to reserve that port and listen on it and when
incoming connections hit this port it will direct descriptor 0 and 1 to
the socket and call the registered program, in a nutshell wrapping the
application IO up in the socket instead of normal STDIN / STDOUT. When
PYG initializes the socket it is trying to open a listener on a port
that is already in use, as the above output explains. 

A good example of how inetd (also tcpserver, xinetd and other
"wrappers") work would be to register the date command at a port from
within inetd.conf and add the service to /etc/services. When you hit
this port (with something like a telnet client) you should see the same
output as you would by typing the date command at the console - since
the commands STDOUT is redirected to the socket. BTW, if you try this
example make sure you run date as user nobody or someone is apt to start
changing the date/time on your machine for you.

In my opinion the only way to manage this connection in something like
inetd would be to remove the network code and run all IO through STDIN,
STDOUT and STDERR. Probably not trivial, stick with a filter.

-- 
Steve <euglinux at nwtechops.com>

More information about the EUGLUG mailing list