The manpage systemd.exec implies that specifying a TCPWrapName uses /etc/hosts.{allow,deny} in the same way as tcpd(8). However, this is not the case: when /etc/hosts.allow is used for setting environment variables, these variables are not handed over to the executed program. ---Example env.socket--- [Unit] Description=Network socket for incoming env connections [Install] WantedBy=sockets.target [Socket] ListenStream=13131 Accept=true ---/Example--- ---Example env@.service--- [Unit] Description=test daemon After=local-fs.target [Service] Environment=PATH=/bin:/usr/bin:/sbin:/usr/sbin WorkingDirectory=/tmp #ExecStart=@/usr/sbin/tcpd /usr/bin/env ExecStart=/usr/bin/env StandardInput=socket StandardOutput=inherit StandardError=syslog TCPWrapName=env ---/Example--- ---Example /etc/hosts.allow--- env : 127.0.0.1 : setenv TEST working ---/Example--- Steps to Reproduce: 1. Create env.socket, env@.service and /etc/hosts.allow as above 2. netcat 127.0.0.1 13131 Actual Results: The output does not contain "TEST=working" Expected Results: The expected result can be seen by activating the out-commented ExecStart line in env@.service: the output contains the line TEST=working As can be seen by the example, explicitly running /usr/sbin/tcpd in ExecStart is an (ugly) workaround for the problem.
Umm, this is an incredibly broken feature of tcpwrappers, and we have no plan to ever support this. I have now fix the documentation to clarify that we support tcpwrappers for access control only.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.