[arch-general] Leafnode and Systemd

Dave Reisner d at falconindy.com
Thu Oct 18 15:55:30 EDT 2012 

On Thu, Oct 18, 2012 at 08:26:16PM +0100, Whiskers wrote:
> On Thu, 18 Oct 2012 00:03:57 +0200 Thomas Bächler <thomas at archlinux.org>
> wrote:
> 
> >Am 17.10.2012 21:29, schrieb Whiskers:
> >> Rather than install tcp-wrappers on my Arch system, I'd like to use
> >> whatever the proper "server" is nowadays instead of /usr/sbin/tcpd - but
> >> what is it?
> >
> >Why would you replace tcpd with anything? Does it serve any purpose at
> >all?
> 
> Thanks for responding.
> 
> On a system with tcp-wrappers, tcpd is the "server" which launches
> leafnode.  From man leafnode:
> 
>        [...]
> 
>        The leafnode program itself  is  the  NNTP  server.   It  is  run  from
>        /etc/inetd.conf  when  someone  wants to read news.  The other parts of
>        the package, fetchnews and texpire, are responsible  for  fetching  new
>        news from another server, and for deleting old news.
> 
>        [...]
> 
>        No network-level access control is supported.   This  is  a  deliberate
>        omission:  Implementing  this  is  a job which should not be redone for
>        each and every service.
> 
>        I recommend that either firewalling or tcpd be used for access control.
> 
>        [...]
> 
> Xinetd is the 'new improved' inetd, and the xinetd setup recommended in
> the Leafnode tarball's README has tcpd as the "server" and leafnode as
> the "server argument", as in the /etc/xinetd.d/nntp file previously quoted.
> This of course doesn't work on my Arch system, as tcp-wrappers (and thus,
> tcpd) is missing.  

It's quite simple. Get rid of tcpd as the "server". It's just a wrapper
that launches an arbitrary process which doesn't link to libwrap.so so
that tcp-wrappers can be used for ACLs. It isn't a requirement -- it's a
recommendation.

> So I'm trying to work out how to get leafnode available on demand, without
> using tcp-wrappers and tcpd, but with ufw, and with the new systemd (I've
> uninstalled initscripts from my system).

Use inetd-style activation via systemd. See sshd at .service and
sshd.socket as an example. xinetd is redundant.

d

More information about the arch-general mailing list