[stunnel-users] privileges not dropped before libwrap processes are spawned

Michal Trojnara Michal.Trojnara at mirt.net
Mon Dec 21 22:04:02 CET 2009

Micah Anderson wrote:
> and then soon after, you released a version 4.25 of stunnel, with this
> changelog entry:
>          * Bugfixes
>            - Spawning libwrap processes delayed until privileges are
>          dropped.
> but we do not see the libwrap processes spawned as anything but the
> privileged user still.
> I'm sorry if I am missing something obvious here, and I appreciate  
> your
> explanation!

What you're missing is an entry for stunnel 4.26:
> - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied  
> to the chrooted directory, as the libwrap processes are no longer  
> chrooted.

Basically I received some complaints and I decided to withdraw this  
modification.  Chrooting libwrap processes was a bad idea.

Honestly I'm sure libwrap (first released by Wietse Venema in 1990) is  
*a lot* more mature and secure compared to OpenSSL.  In case there are  
any security vulnerabilities in libwrap, stunnel is the least of our  


More information about the stunnel-users mailing list