Mailinglist Archive: opensuse-bugs (9915 mails)
| < Previous | Next > |
[Bug 230730] cups: tcp_wrappers refused connection from unknown
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Wed, 17 Jan 2007 03:25:24 -0700 (MST)
- Message-id: <20070117102524.384A5FA9@xxxxxxxxxxxxxxxxxxxxxx>
https://bugzilla.novell.com/show_bug.cgi?id=230730
------- Comment #12 from walter.haidinger@xxxxxx 2007-01-17 03:25 MST -------
Ah, I see! No, it is all about cups not working with a perfectly fine and
_unchanged_ hosts.allow file after the upgrade from 10.1 to 10.2.
I'm not relying on tcpd for cups but I wanted to emphasize a likely usage
scenario (which happens to work for me right now, though).
Anyways, I'm also aware that this is an add-on patch to the cups distribution.
That's why I wanted to remove it by building cups from the source rpm.
Unfortunately this doesn't work either, please refer to comment #2.
Does building from the source rpm work for you?
So, the tcp-wrapper add-on patch is obviously broken because all (even
non-socket) connections are passed to libwrap (see comment #3).
The bug may even mount to an annoying DOS attack on the console:
Say, you're logging syslog errors to the console too using syslog-ng usertty()
function to notice important stuff right away. Then your console is flooded
with error messages from cups. How many? Well, lets count the errors per
second:
# for sec in 25 26 27 28 29 ; do grep -c "^Jan 5 21:50:$sec banshee cupsd:
warning: /etc/hosts.allow" /var/log/level/error ; done
564
635
612
563
685
That's about 600 lines per second, rendering your console unusable. Even worse,
the logs only stop upon killing cups (or syslog, of course).
But even if you don't log to console, your /var/log partition will fill rather
quickly...
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
------- Comment #12 from walter.haidinger@xxxxxx 2007-01-17 03:25 MST -------
Ah, I see! No, it is all about cups not working with a perfectly fine and
_unchanged_ hosts.allow file after the upgrade from 10.1 to 10.2.
I'm not relying on tcpd for cups but I wanted to emphasize a likely usage
scenario (which happens to work for me right now, though).
Anyways, I'm also aware that this is an add-on patch to the cups distribution.
That's why I wanted to remove it by building cups from the source rpm.
Unfortunately this doesn't work either, please refer to comment #2.
Does building from the source rpm work for you?
So, the tcp-wrapper add-on patch is obviously broken because all (even
non-socket) connections are passed to libwrap (see comment #3).
The bug may even mount to an annoying DOS attack on the console:
Say, you're logging syslog errors to the console too using syslog-ng usertty()
function to notice important stuff right away. Then your console is flooded
with error messages from cups. How many? Well, lets count the errors per
second:
# for sec in 25 26 27 28 29 ; do grep -c "^Jan 5 21:50:$sec banshee cupsd:
warning: /etc/hosts.allow" /var/log/level/error ; done
564
635
612
563
685
That's about 600 lines per second, rendering your console unusable. Even worse,
the logs only stop upon killing cups (or syslog, of course).
But even if you don't log to console, your /var/log partition will fill rather
quickly...
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
| < Previous | Next > |