[PATCH 0/3] nfs-utils: Enabling TCP wrappers Part 2

[PATCH 0/3] nfs-utils: Enabling TCP wrappers Part 2

[Steve Dickson]

Now that TCP wrapper are actually working as expected, it causing
problems in configuration that don't support reverse host name
lookups.

For TCP wrappers to actually work correctly, an IP address have to be
converted into host name, to cover the possibility that host names
are used in either the /etc/hosts.deny or /etc/hosts.allow files.
If that IP conversion (i.e. reverse hostname lookup) fails, the
mount has to failed otherwise it open up a security hole since
the host name can not be checked.

In smaller "at home" configurations, this failure cause a great deal
of pain since there will never any type of DNS services and for some
reasons (which were beyond me) adding the IP address to /etc/hosts
was not an option. So this patch set allows configurations like
those to, once again, just work, plus it also stop a needless lookup
when there are no tcp wrapper rules, which is %99.99 of the time.

Patch 01 - I was caching the results of the host access query using 
           the IP address, program number and produce number which 
           was creating too many cache entries for a single host.
           All that's really needed is to has on the the IP address
           and program number.

Patch 02 - This is a repost of a previous patch that will not
           do the host access checks if there are no rules in 
           either hosts.allow or hosts.deny. This version includes
           the suggestion from Chuck Lever that blank lines should 
           also be ignored.

Patch 03 - This patch adds a --insecure | -i command line argument that
           completely turns all of the host access checking. I was a bit
           hesitant about doing this, but once I saw other daemon having
           option I figured it would be good to have.

Comments/Issues?

steved.  

  

[PATCH 1/3] nfs-utils: Hash only on IP address and Program number

[Steve Dickson]

commit efc33a7844332bfe9f22b34ccf4035458a9b344a
Author: Steve Dickson <steved@redhat.com>
Date:   Fri Jan 23 08:59:19 2009 -0500

    Only hash on IP address and Program number. Including the Procedure
    number only creates needles extra hash entries.
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
index 977dfca..a450ad5 100644
--- a/support/misc/tcpwrapper.c
+++ b/support/misc/tcpwrapper.c
@@ -108,8 +108,8 @@ typedef struct _hash_head {
 	TAILQ_HEAD(host_list, _haccess_t) h_head;
 } hash_head;
 hash_head haccess_tbl[HASH_TABLE_SIZE];
-static haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long, u_long);
-static void haccess_add(struct sockaddr_in *addr, u_long, u_long, int);
+static haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long);
+static void haccess_add(struct sockaddr_in *addr, u_long, int);
 
 inline unsigned int strtoint(char *str)
 {
@@ -126,11 +126,10 @@ inline int hashint(unsigned int num)
 {
 	return num % HASH_TABLE_SIZE;
 }
-#define HASH(_addr, _proc, _prog) \
-	hashint((strtoint((_addr))+(_proc)+(_prog)))
+#define HASH(_addr, _prog) \
+	hashint((strtoint((_addr))+(_prog)))
 
-void haccess_add(struct sockaddr_in *addr, u_long proc, 
-	u_long prog, int access)
+void haccess_add(struct sockaddr_in *addr, u_long prog, int access)
 {
 	hash_head *head;
  	haccess_t *hptr;
@@ -140,7 +139,7 @@ void haccess_add(struct sockaddr_in *addr, u_long proc,
 	if (hptr == NULL)
 		return;
 
-	hash = HASH(inet_ntoa(addr->sin_addr), proc, prog);
+	hash = HASH(inet_ntoa(addr->sin_addr), prog);
 	head = &(haccess_tbl[hash]);
 
 	hptr->access = access;
@@ -151,13 +150,13 @@ void haccess_add(struct sockaddr_in *addr, u_long proc,
 	else
 		TAILQ_INSERT_TAIL(&head->h_head, hptr, list);
 }
-haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long proc, u_long prog)
+haccess_t *haccess_lookup(struct sockaddr_in *addr, u_long prog)
 {
 	hash_head *head;
  	haccess_t *hptr;
 	int hash;
 
-	hash = HASH(inet_ntoa(addr->sin_addr), proc, prog);
+	hash = HASH(inet_ntoa(addr->sin_addr), prog);
 	head = &(haccess_tbl[hash]);
 
 	TAILQ_FOREACH(hptr, &head->h_head, list) {
@@ -302,7 +301,7 @@ u_long  prog;
 	haccess_t *acc = NULL;
 	int changed = check_files();
 
-	acc = haccess_lookup(addr, proc, prog);
+	acc = haccess_lookup(addr, prog);
 	if (acc && changed == 0)
 		return (acc->access);
 
@@ -311,7 +310,7 @@ u_long  prog;
 		if (acc)
 			acc->access = FALSE;
 		else 
-			haccess_add(addr, proc, prog, FALSE);
+			haccess_add(addr, prog, FALSE);
 		return (FALSE);
 	}
 	if (verboselog)
@@ -320,7 +319,7 @@ u_long  prog;
 	if (acc)
 		acc->access = TRUE;
 	else 
-		haccess_add(addr, proc, prog, TRUE);
+		haccess_add(addr, prog, TRUE);
     return (TRUE);
 }
 

[PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules

[Steve Dickson]

commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
Author: Steve Dickson <steved@redhat.com>
Date:   Fri Jan 23 09:15:57 2009 -0500

    If there are no rules in either /etc/hosts.deny or
    /etc/hosts.allow there is no need to do the host validation.
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
index a450ad5..098406c 100644
--- a/support/misc/tcpwrapper.c
+++ b/support/misc/tcpwrapper.c
@@ -34,6 +34,7 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#include <stdio.h>
 #include <tcpwrapper.h>
 #include <unistd.h>
 #include <string.h>
@@ -55,6 +56,8 @@
 #include <rpc/rpcent.h>
 #endif
 
+static int check_files(void);
+static int check_rules(void);
 static void logit(int severity, struct sockaddr_in *addr,
 		  u_long procnum, u_long prognum, char *text);
 static void toggle_verboselog(int sig);
@@ -175,6 +178,9 @@ struct sockaddr_in *addr;
     char **sp;
     char *tmpname;
 
+	xlog(D_CALL, "good_client: %s: doing access check on %s",
+		daemon, inet_ntoa(addr->sin_addr));
+
 	/* First check the address. */
 	if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
 		return DENY;
@@ -262,8 +268,50 @@ void    check_startup(void)
     (void) signal(SIGINT, toggle_verboselog);
 }
 
+/*
+ * check_rules - check to see if any entries exist in
+ * either hosts file.
+ */
+int check_rules()
+{
+	FILE *fp;
+	char buf[BUFSIZ];
+
+ 	if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
+		return 0;
+
+	while (fgets(buf, BUFSIZ, fp) != NULL) {
+		/* Check for commented lines */
+		if (buf[0] == '#')
+			continue;
+		/* Check for blank lines */
+		if (buf[strspn(buf, " \t\r\n")] == 0)
+			continue;
+		/* Not emtpy */
+		fclose(fp);
+		return 1;
+	}
+	fclose(fp);
+
+	if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
+		return 0;
+
+	while (fgets(buf, BUFSIZ, fp) != NULL) {
+		/* Check for commented lines */
+		if (buf[0] == '#')
+			continue;
+		/* Check for blank lines */
+		if (buf[strspn(buf, " \t\r\n")] == 0)
+			continue;
+		/* Not emtpy */
+		fclose(fp);
+		return 1;
+	}
+	fclose(fp);
+	return 0;
+}
+  
 /* check_files - check to see if either access files have changed */
-
 static int check_files()
 {
 	static time_t allow_mtime, deny_mtime;
@@ -305,6 +353,13 @@ u_long  prog;
 	if (acc && changed == 0)
 		return (acc->access);
 
+	/*
+	 * See if there are any rules to be applied,
+	 * if not, no need to check the address
+	 */
+	if (check_rules() == 0)
+		goto done;
+
 	if (!(from_local(addr) || good_client(daemon, addr))) {
 		log_bad_host(addr, proc, prog);
 		if (acc)
@@ -315,11 +370,12 @@ u_long  prog;
 	}
 	if (verboselog)
 		log_client(addr, proc, prog);
-
+done:
 	if (acc)
 		acc->access = TRUE;
 	else 
 		haccess_add(addr, prog, TRUE);
+
     return (TRUE);
 }
 

Re: [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules

[Chuck Lever]

I'm surprised this issue hasn't come up for other daemons (sshd  
perhaps?).  Is there code you could borrow for that?

Even better would be to fix tcp_wrappers to handle this optimization  
somehow itself.


On Jan 23, 2009, at Jan 23, 2009, 1:11 PM, Steve Dickson wrote:

> commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
> Author: Steve Dickson <steved@redhat.com>
> Date:   Fri Jan 23 09:15:57 2009 -0500
>
>    If there are no rules in either /etc/hosts.deny or
>    /etc/hosts.allow there is no need to do the host validation.
>
>    Signed-off-by: Steve Dickson <steved@redhat.com>
>
> diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
> index a450ad5..098406c 100644
> --- a/support/misc/tcpwrapper.c
> +++ b/support/misc/tcpwrapper.c
> @@ -34,6 +34,7 @@
> #ifdef HAVE_CONFIG_H
> #include <config.h>
> #endif
> +#include <stdio.h>
> #include <tcpwrapper.h>
> #include <unistd.h>
> #include <string.h>
> @@ -55,6 +56,8 @@
> #include <rpc/rpcent.h>
> #endif
>
> +static int check_files(void);
> +static int check_rules(void);
> static void logit(int severity, struct sockaddr_in *addr,
> 		  u_long procnum, u_long prognum, char *text);
> static void toggle_verboselog(int sig);
> @@ -175,6 +178,9 @@ struct sockaddr_in *addr;
>     char **sp;
>     char *tmpname;
>
> +	xlog(D_CALL, "good_client: %s: doing access check on %s",
> +		daemon, inet_ntoa(addr->sin_addr));
> +
> 	/* First check the address. */
> 	if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
> 		return DENY;
> @@ -262,8 +268,50 @@ void    check_startup(void)
>     (void) signal(SIGINT, toggle_verboselog);
> }
>
> +/*
> + * check_rules - check to see if any entries exist in
> + * either hosts file.
> + */
> +int check_rules()
> +{
> +	FILE *fp;
> +	char buf[BUFSIZ];
> +
> + 	if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
> +		return 0;
> +
> +	while (fgets(buf, BUFSIZ, fp) != NULL) {
> +		/* Check for commented lines */
> +		if (buf[0] == '#')
> +			continue;
> +		/* Check for blank lines */
> +		if (buf[strspn(buf, " \t\r\n")] == 0)
> +			continue;
> +		/* Not emtpy */
> +		fclose(fp);
> +		return 1;
> +	}
> +	fclose(fp);
> +
> +	if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
> +		return 0;
> +
> +	while (fgets(buf, BUFSIZ, fp) != NULL) {
> +		/* Check for commented lines */
> +		if (buf[0] == '#')
> +			continue;
> +		/* Check for blank lines */
> +		if (buf[strspn(buf, " \t\r\n")] == 0)
> +			continue;
> +		/* Not emtpy */
> +		fclose(fp);
> +		return 1;
> +	}
> +	fclose(fp);
> +	return 0;
> +}
> +
> /* check_files - check to see if either access files have changed */
> -
> static int check_files()
> {
> 	static time_t allow_mtime, deny_mtime;
> @@ -305,6 +353,13 @@ u_long  prog;
> 	if (acc && changed == 0)
> 		return (acc->access);
>
> +	/*
> +	 * See if there are any rules to be applied,
> +	 * if not, no need to check the address
> +	 */
> +	if (check_rules() == 0)
> +		goto done;
> +
> 	if (!(from_local(addr) || good_client(daemon, addr))) {
> 		log_bad_host(addr, proc, prog);
> 		if (acc)
> @@ -315,11 +370,12 @@ u_long  prog;
> 	}
> 	if (verboselog)
> 		log_client(addr, proc, prog);
> -
> +done:
> 	if (acc)
> 		acc->access = TRUE;
> 	else
> 		haccess_add(addr, prog, TRUE);
> +
>     return (TRUE);
> }

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: [PATCH 2/3] nfs-utils: Don't do tcp wrapper check when there are no rules

[Steve Dickson]

Chuck Lever wrote:
> I'm surprised this issue hasn't come up for other daemons (sshd
> perhaps?).  Is there code you could borrow for that?
rpcbind... it has a -i flag..

> 
> Even better would be to fix tcp_wrappers to handle this optimization
> somehow itself.
Yeah... we talked.. that would take new interface from
basically dead code... Why wake the dead? :)

steved.
 
> 
> 
> On Jan 23, 2009, at Jan 23, 2009, 1:11 PM, Steve Dickson wrote:
> 
>> commit 58b7e3ef82c5d9e008befcce391027c4741d3a56
>> Author: Steve Dickson <steved@redhat.com>
>> Date:   Fri Jan 23 09:15:57 2009 -0500
>>
>>    If there are no rules in either /etc/hosts.deny or
>>    /etc/hosts.allow there is no need to do the host validation.
>>
>>    Signed-off-by: Steve Dickson <steved@redhat.com>
>>
>> diff --git a/support/misc/tcpwrapper.c b/support/misc/tcpwrapper.c
>> index a450ad5..098406c 100644
>> --- a/support/misc/tcpwrapper.c
>> +++ b/support/misc/tcpwrapper.c
>> @@ -34,6 +34,7 @@
>> #ifdef HAVE_CONFIG_H
>> #include <config.h>
>> #endif
>> +#include <stdio.h>
>> #include <tcpwrapper.h>
>> #include <unistd.h>
>> #include <string.h>
>> @@ -55,6 +56,8 @@
>> #include <rpc/rpcent.h>
>> #endif
>>
>> +static int check_files(void);
>> +static int check_rules(void);
>> static void logit(int severity, struct sockaddr_in *addr,
>>           u_long procnum, u_long prognum, char *text);
>> static void toggle_verboselog(int sig);
>> @@ -175,6 +178,9 @@ struct sockaddr_in *addr;
>>     char **sp;
>>     char *tmpname;
>>
>> +    xlog(D_CALL, "good_client: %s: doing access check on %s",
>> +        daemon, inet_ntoa(addr->sin_addr));
>> +
>>     /* First check the address. */
>>     if (hosts_ctl(daemon, "", inet_ntoa(addr->sin_addr), "") == DENY)
>>         return DENY;
>> @@ -262,8 +268,50 @@ void    check_startup(void)
>>     (void) signal(SIGINT, toggle_verboselog);
>> }
>>
>> +/*
>> + * check_rules - check to see if any entries exist in
>> + * either hosts file.
>> + */
>> +int check_rules()
>> +{
>> +    FILE *fp;
>> +    char buf[BUFSIZ];
>> +
>> +     if ((fp = fopen("/etc/hosts.allow", "r")) == NULL)
>> +        return 0;
>> +
>> +    while (fgets(buf, BUFSIZ, fp) != NULL) {
>> +        /* Check for commented lines */
>> +        if (buf[0] == '#')
>> +            continue;
>> +        /* Check for blank lines */
>> +        if (buf[strspn(buf, " \t\r\n")] == 0)
>> +            continue;
>> +        /* Not emtpy */
>> +        fclose(fp);
>> +        return 1;
>> +    }
>> +    fclose(fp);
>> +
>> +    if ((fp = fopen("/etc/hosts.deny", "r")) == NULL)
>> +        return 0;
>> +
>> +    while (fgets(buf, BUFSIZ, fp) != NULL) {
>> +        /* Check for commented lines */
>> +        if (buf[0] == '#')
>> +            continue;
>> +        /* Check for blank lines */
>> +        if (buf[strspn(buf, " \t\r\n")] == 0)
>> +            continue;
>> +        /* Not emtpy */
>> +        fclose(fp);
>> +        return 1;
>> +    }
>> +    fclose(fp);
>> +    return 0;
>> +}
>> +
>> /* check_files - check to see if either access files have changed */
>> -
>> static int check_files()
>> {
>>     static time_t allow_mtime, deny_mtime;
>> @@ -305,6 +353,13 @@ u_long  prog;
>>     if (acc && changed == 0)
>>         return (acc->access);
>>
>> +    /*
>> +     * See if there are any rules to be applied,
>> +     * if not, no need to check the address
>> +     */
>> +    if (check_rules() == 0)
>> +        goto done;
>> +
>>     if (!(from_local(addr) || good_client(daemon, addr))) {
>>         log_bad_host(addr, proc, prog);
>>         if (acc)
>> @@ -315,11 +370,12 @@ u_long  prog;
>>     }
>>     if (verboselog)
>>         log_client(addr, proc, prog);
>> -
>> +done:
>>     if (acc)
>>         acc->access = TRUE;
>>     else
>>         haccess_add(addr, prog, TRUE);
>> +
>>     return (TRUE);
>> }
> 
> -- 
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com

[PATCH 3/3] nfs-utils: Adding the --insecure flag to mountd and statd

[Steve Dickson]

commit d83be6a170844d7bef37f0bf48ebfb2ef384b57a
Author: Steve Dickson <steved@redhat.com>
Date:   Fri Jan 23 10:04:14 2009 -0500

    Added a --insecure (-i) command line argument, to both mountd and statd,
    that will disable the host access check provide by the tcp wrapper library.
    
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/mountd/mount_dispatch.c b/utils/mountd/mount_dispatch.c
index f00c0c5..c59410a 100644
--- a/utils/mountd/mount_dispatch.c
+++ b/utils/mountd/mount_dispatch.c
@@ -70,10 +70,11 @@ mount_dispatch(struct svc_req *rqstp, SVCXPRT *transp)
 {
 	union mountd_arguments 	argument;
 	union mountd_results	result;
-
 #ifdef HAVE_TCP_WRAPPER
+	extern int insecure;
+
 	/* remote host authorization check */
-	if (!check_default("mountd", svc_getcaller(transp),
+	if (!insecure && !check_default("mountd", svc_getcaller(transp),
 			   rqstp->rq_proc, MOUNTPROG)) {
 		svcerr_auth (transp, AUTH_FAILED);
 		return;
diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
index 6adb68f..12cca81 100644
--- a/utils/mountd/mountd.c
+++ b/utils/mountd/mountd.c
@@ -72,8 +72,14 @@ static struct option longopts[] =
 	{ "num-threads", 1, 0, 't' },
 	{ "reverse-lookup", 0, 0, 'r' },
 	{ "manage-gids", 0, 0, 'g' },
+#ifdef HAVE_TCP_WRAPPER 
+	{ "insecure", 0, 0, 'i' },
+#endif
 	{ NULL, 0, 0, 0 }
 };
+#ifdef HAVE_TCP_WRAPPER 
+int insecure=0;
+#endif
 
 static int nfs_version = -1;
 
@@ -599,7 +605,7 @@ main(int argc, char **argv)
 
 	/* Parse the command line options and arguments. */
 	opterr = 0;
-	while ((c = getopt_long(argc, argv, "o:nFd:f:p:P:hH:N:V:vrs:t:g", longopts, NULL)) != EOF)
+	while ((c = getopt_long(argc, argv, "o:nFd:f:p:P:hiH:N:V:vrs:t:g", longopts, NULL)) != EOF)
 		switch (c) {
 		case 'g':
 			manage_gids = 1;
@@ -627,6 +633,11 @@ main(int argc, char **argv)
 		case 'h':
 			usage(argv [0], 0);
 			break;
+#ifdef HAVE_TCP_WRAPPER 
+		case 'i':
+			insecure=1;
+			break;
+#endif
 		case 'P':	/* XXX for nfs-server compatibility */
 		case 'p':
 			port = atoi(optarg);
@@ -778,7 +789,12 @@ usage(const char *prog, int n)
 	fprintf(stderr,
 "Usage: %s [-F|--foreground] [-h|--help] [-v|--version] [-d kind|--debug kind]\n"
 "	[-o num|--descriptors num] [-f exports-file|--exports-file=file]\n"
-"	[-p|--port port] [-V version|--nfs-version version]\n"
+#ifdef HAVE_TCP_WRAPPER 
+"	[-i|--insecure] [-p|--port port]"
+#else
+"	[-p|--port port]"
+#endif
+" [-V version|--nfs-version version]\n"
 "	[-N version|--no-nfs-version version] [-n|--no-tcp]\n"
 "	[-H ha-callout-prog] [-s|--state-directory-path path]\n"
 "	[-g|--manage-gids] [-t num|--num-threads=num]\n", prog);
diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
index 2f42d00..1a78bda 100644
--- a/utils/mountd/mountd.man
+++ b/utils/mountd/mountd.man
@@ -72,6 +72,7 @@ By default, export information is read from
 .B \-h " or " \-\-help
 Display usage message.
 .TP
+.TP
 .B \-o num " or " \-\-descriptors num
 Set the limit of the number of open file descriptors to num. The
 default is to leave the limit unchanged.
@@ -165,6 +166,11 @@ the server. Note that the 'primary' group id is not affected so a
 .I newgroup
 command on the client will still be effective.  This function requires
 a Linux Kernel with version at least 2.6.21.
+.TP
+.B \-i " or " \-\-insecure
+Disables the hosts access protection provided by the
+.B tcp_wrapper
+library
 
 .SH TCP_WRAPPERS SUPPORT
 This
diff --git a/utils/statd/statd.c b/utils/statd/statd.c
index 321f7a9..72919db 100644
--- a/utils/statd/statd.c
+++ b/utils/statd/statd.c
@@ -71,6 +71,9 @@ static struct option longopts[] =
 	{ "notify-mode", 0, 0, 'N' },
 	{ "ha-callout", 1, 0, 'H' },
 	{ "no-notify", 0, 0, 'L' },
+#ifdef HAVE_TCP_WRAPPER 
+	{ "insecure", 0, 0, 'i' },
+#endif
 	{ NULL, 0, 0, 0 }
 };
 
@@ -84,12 +87,13 @@ extern void simulator (int, char **);
 
 #ifdef HAVE_TCP_WRAPPER 
 #include "tcpwrapper.h"
+int insecure=0;
 
 static void 
 sm_prog_1_wrapper (struct svc_req *rqstp, register SVCXPRT *transp)
 {
 	/* remote host authorization check */
-	if (!check_default("statd", svc_getcaller(transp),
+	if (!insecure && !check_default("statd", svc_getcaller(transp),
 				 rqstp->rq_proc, SM_PROG)) {
 		svcerr_auth (transp, AUTH_FAILED);
 		return;
@@ -153,6 +157,9 @@ usage(void)
 	fprintf(stderr,"      -h, -?, --help       Print this help screen.\n");
 	fprintf(stderr,"      -F, --foreground     Foreground (no-daemon mode)\n");
 	fprintf(stderr,"      -d, --no-syslog      Verbose logging to stderr.  Foreground mode only.\n");
+#ifdef HAVE_TCP_WRAPPER 
+	fprintf(stderr,"      -i, --insecure       Don't do host access checks\n");
+#endif
 	fprintf(stderr,"      -p, --port           Port to listen on\n");
 	fprintf(stderr,"      -o, --outgoing-port  Port for outgoing connections\n");
 	fprintf(stderr,"      -V, -v, --version    Display version information and exit.\n");
@@ -274,7 +281,7 @@ int main (int argc, char **argv)
 	MY_NAME = NULL;
 
 	/* Process command line switches */
-	while ((arg = getopt_long(argc, argv, "h?vVFNH:dn:p:o:P:L", longopts, NULL)) != EOF) {
+	while ((arg = getopt_long(argc, argv, "h?vVFNH:din:p:o:P:L", longopts, NULL)) != EOF) {
 		switch (arg) {
 		case 'V':	/* Version */
 		case 'v':
@@ -292,6 +299,11 @@ int main (int argc, char **argv)
 		case 'd':	/* No daemon only - log to stderr */
 			run_mode |= MODE_LOG_STDERR;
 			break;
+#ifdef HAVE_TCP_WRAPPER 
+		case 'i':
+			insecure = 1;
+			break;
+#endif
 		case 'o':
 			out_port = atoi(optarg);
 			if (out_port < 1 || out_port > 65535) {
diff --git a/utils/statd/statd.man b/utils/statd/statd.man
index e8be9f3..11842ad 100644
--- a/utils/statd/statd.man
+++ b/utils/statd/statd.man
@@ -141,6 +141,11 @@ to print out command-line help and exit.
 Causes
 .B rpc.statd
 to print out version information and exit.
+.TP
+.B \-i, " " \-\-insecure
+Disables the hosts access protection provided by the
+.B tcp_wrapper
+library