Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235318 - net-mail/cyrus-imapd-2.3.9-r1: daemons drop connection if /etc/hosts.deny exists but is not readable
Summary: net-mail/cyrus-imapd-2.3.9-r1: daemons drop connection if /etc/hosts.deny exi...
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: High critical (vote)
Assignee: Tobias Scherbaum (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-20 22:15 UTC by Karsten
Modified: 2008-12-29 17:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karsten 2008-08-20 22:15:05 UTC
When playing around with fail2ban, I was experiencing problems with the pop3d and imapd daemons.

Turns out that fail2ban creates /etc/hosts.deny with mode 600, owner root, if the file didn't exist before. The cyrus daemons (running as user cyrus) drop incoming connections right away if the file exists but is not readable for them. This happens regardless of the file's content, it can even be empty. When changing the mode to 644, the file becomes readable and the crashes disappear.

Reproducible: Always

Steps to Reproduce:
1. create /etc/hosts.deny if file doesn't exist
2. chmod 600 /etc/hosts.deny; chown root.root /etc/hosts.deny
3. telnet [ip] 110

Actual Results:  
connection to pop3d is dropped immediately

Expected Results:  
pop3d should accept the connection if IP is not banned in hosts.deny
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-27 18:51:53 UTC
I think that's more or less a problem (or bug) in fail2ban. Which specific version of fail2ban are you running? 

(Adding netmon@)
Comment 2 Karsten 2008-10-27 19:12:10 UTC
(In reply to comment #1)
> I think that's more or less a problem (or bug) in fail2ban.

Playing around with fail2ban revealed the bug for me, but it can be reproduced by carrying out the steps I stated in the initial post. I agree that fail2ban also has a bug - it should not create hosts.deny as 600. But that's not the point of the report I filed.

In my opinion, it's a bug in cyrus' handling of the hosts.deny file. It hits whenever this file exists but cannot be read by the cyrus user.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-27 19:54:42 UTC
(In reply to comment #2)
> In my opinion, it's a bug in cyrus' handling of the hosts.deny file. It hits
> whenever this file exists but cannot be read by the cyrus user.

Please report this bug upstream then. There's not that much we can do about this.